W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: <form> POST versus Access Control POST

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 17 Jan 2008 00:31:29 -0800
Message-ID: <478F1261.5080900@sicking.cc>
To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>

Anne van Kesteren wrote:
> tlr has some doubts whether the distinction between <form> POST and 
> Access Control POST is sufficient enough to give Access Control POST a 
> preflight OPTIONS as it might led authors to think that they are 
> protected against cross-site POST requests while in reality, if they 
> don't do careful checking of the Content-Type header or require some 
> kind of magic string previously obtained using a normal GET request, 
> they are not.
> We earlier decided to let authors perform the additional check and 
> require the preflight OPTIONS so I'll leave the specification as is 
> unless people start changing their minds...

The specific attack I was worried about was SOAP service providers. 
These work by accepting XML data through POSTs and and can perform 
potentially dangerous operations.

While it is currently possible to use <form>s to send POST requests to 
such servers, it is not possible to send them using a proper XML content 
type. Hopefully servers will not successfully parse the data without a 
proper content type.

/ Jonas
Received on Thursday, 17 January 2008 08:31:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC