Re: <form> POST versus Access Control POST

On 1/17/08, Jonas Sicking <> wrote:
> Anne van Kesteren wrote:
> >
> > tlr has some doubts whether the distinction between <form> POST and
> > Access Control POST is sufficient enough to give Access Control POST a
> > preflight OPTIONS as it might led authors to think that they are
> > protected against cross-site POST requests while in reality, if they
> > don't do careful checking of the Content-Type header or require some
> > kind of magic string previously obtained using a normal GET request,
> > they are not.
> >
> > We earlier decided to let authors perform the additional check and
> > require the preflight OPTIONS so I'll leave the specification as is
> > unless people start changing their minds...
> The specific attack I was worried about was SOAP service providers.
> These work by accepting XML data through POSTs and and can perform
> potentially dangerous operations.

Dangerous operations aren't specific to SOAP.  Any POST-accepting
resource can do them.

Mark Baker.  Ottawa, Ontario, CANADA.
Coactus; Web-inspired integration strategies

Received on Thursday, 17 January 2008 15:46:25 UTC