W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: linking pre-check to POST and other requests?

From: Thomas Roessler <tlr@w3.org>
Date: Thu, 17 Jan 2008 00:45:08 +0100
To: Ian Hickson <ian@hixie.ch>
Cc: public-appformats@w3.org
Message-ID: <20080116234508.GK363@iCoaster.does-not-exist.org>

On 2008-01-16 23:22:59 +0000, Ian Hickson wrote:

> Actually it turns out that isn't a problem, because the server
> can just re-do the security check on the actual request. (In fact
> in the extreme it could just automatically reply "allow *" for
> all OPTIONS requests, and then make the actual determination in
> the real POST/DELETE/etc requests.)

> The reason for the preflight isn't for servers going forward,
> it's just to make sure that existing servers aren't exposed to
> cross-site request forgery attacks using APIs that rely on
> Access-Control.

Errr, yes, thanks to Referer-Root you're right -- which indeed takes
care of the POST/DELETE/etc cases.

Ignore this thread.  I shouldn't write e-mail when I'm tired.
-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Wednesday, 16 January 2008 23:45:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC