W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

<form> POST versus Access Control POST

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 16 Jan 2008 14:07:18 +0100
To: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <op.t40xegt564w2qv@annevk-t60.oslo.opera.com>

tlr has some doubts whether the distinction between <form> POST and Access  
Control POST is sufficient enough to give Access Control POST a preflight  
OPTIONS as it might led authors to think that they are protected against  
cross-site POST requests while in reality, if they don't do careful  
checking of the Content-Type header or require some kind of magic string  
previously obtained using a normal GET request, they are not.

We earlier decided to let authors perform the additional check and require  
the preflight OPTIONS so I'll leave the specification as is unless people  
start changing their minds...


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 16 January 2008 13:04:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC