- From: Thomas Roessler <tlr@w3.org>
- Date: Thu, 17 Jan 2008 00:45:08 +0100
- To: Ian Hickson <ian@hixie.ch>
- Cc: public-appformats@w3.org
On 2008-01-16 23:22:59 +0000, Ian Hickson wrote: > Actually it turns out that isn't a problem, because the server > can just re-do the security check on the actual request. (In fact > in the extreme it could just automatically reply "allow *" for > all OPTIONS requests, and then make the actual determination in > the real POST/DELETE/etc requests.) > The reason for the preflight isn't for servers going forward, > it's just to make sure that existing servers aren't exposed to > cross-site request forgery attacks using APIs that rely on > Access-Control. Errr, yes, thanks to Referer-Root you're right -- which indeed takes care of the POST/DELETE/etc cases. Ignore this thread. I shouldn't write e-mail when I'm tired. -- Thomas Roessler, W3C <tlr@w3.org>
Received on Wednesday, 16 January 2008 23:45:18 UTC