- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 17 Jan 2008 20:02:04 -0800
- To: Ian Hickson <ian@hixie.ch>, public-appformats@w3.org
Thomas Roessler wrote: > On 2008-01-16 23:22:59 +0000, Ian Hickson wrote: > >> Actually it turns out that isn't a problem, because the server >> can just re-do the security check on the actual request. (In fact >> in the extreme it could just automatically reply "allow *" for >> all OPTIONS requests, and then make the actual determination in >> the real POST/DELETE/etc requests.) > >> The reason for the preflight isn't for servers going forward, >> it's just to make sure that existing servers aren't exposed to >> cross-site request forgery attacks using APIs that rely on >> Access-Control. > > Errr, yes, thanks to Referer-Root you're right -- which indeed takes > care of the POST/DELETE/etc cases. > > Ignore this thread. I shouldn't write e-mail when I'm tired. I think this is a good point though. It's something that we should add to the security considerations so that server implementations are aware of this. / Jonas
Received on Friday, 18 January 2008 04:03:10 UTC