- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 17 Jan 2008 00:31:29 -0800
- To: Anne van Kesteren <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>
Anne van Kesteren wrote: > > tlr has some doubts whether the distinction between <form> POST and > Access Control POST is sufficient enough to give Access Control POST a > preflight OPTIONS as it might led authors to think that they are > protected against cross-site POST requests while in reality, if they > don't do careful checking of the Content-Type header or require some > kind of magic string previously obtained using a normal GET request, > they are not. > > We earlier decided to let authors perform the additional check and > require the preflight OPTIONS so I'll leave the specification as is > unless people start changing their minds... The specific attack I was worried about was SOAP service providers. These work by accepting XML data through POSTs and and can perform potentially dangerous operations. While it is currently possible to use <form>s to send POST requests to such servers, it is not possible to send them using a proper XML content type. Hopefully servers will not successfully parse the data without a proper content type. / Jonas
Received on Thursday, 17 January 2008 08:31:44 UTC