W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: <form> POST versus Access Control POST

From: Mark Baker <distobj@acm.org>
Date: Thu, 17 Jan 2008 10:46:16 -0500
Message-ID: <e9dffd640801170746pfcda13r88a1ac85c01b30d7@mail.gmail.com>
To: "Jonas Sicking" <jonas@sicking.cc>
Cc: "Anne van Kesteren" <annevk@opera.com>, "WAF WG (public)" <public-appformats@w3.org>

On 1/17/08, Jonas Sicking <jonas@sicking.cc> wrote:
>
> Anne van Kesteren wrote:
> >
> > tlr has some doubts whether the distinction between <form> POST and
> > Access Control POST is sufficient enough to give Access Control POST a
> > preflight OPTIONS as it might led authors to think that they are
> > protected against cross-site POST requests while in reality, if they
> > don't do careful checking of the Content-Type header or require some
> > kind of magic string previously obtained using a normal GET request,
> > they are not.
> >
> > We earlier decided to let authors perform the additional check and
> > require the preflight OPTIONS so I'll leave the specification as is
> > unless people start changing their minds...
>
> The specific attack I was worried about was SOAP service providers.
> These work by accepting XML data through POSTs and and can perform
> potentially dangerous operations.

Dangerous operations aren't specific to SOAP.  Any POST-accepting
resource can do them.

Mark.
-- 
Mark Baker.  Ottawa, Ontario, CANADA.         http://www.markbaker.ca
Coactus; Web-inspired integration strategies  http://www.coactus.com
Received on Thursday, 17 January 2008 15:46:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC