Re: <form> POST versus Access Control POST

Anne van Kesteren wrote:
> tlr has some doubts whether the distinction between <form> POST and 
> Access Control POST is sufficient enough to give Access Control POST a 
> preflight OPTIONS as it might led authors to think that they are 
> protected against cross-site POST requests while in reality, if they 
> don't do careful checking of the Content-Type header or require some 
> kind of magic string previously obtained using a normal GET request, 
> they are not.
> We earlier decided to let authors perform the additional check and 
> require the preflight OPTIONS so I'll leave the specification as is 
> unless people start changing their minds...

The specific attack I was worried about was SOAP service providers. 
These work by accepting XML data through POSTs and and can perform 
potentially dangerous operations.

While it is currently possible to use <form>s to send POST requests to 
such servers, it is not possible to send them using a proper XML content 
type. Hopefully servers will not successfully parse the data without a 
proper content type.

/ Jonas

Received on Thursday, 17 January 2008 08:31:44 UTC