W3C home > Mailing lists > Public > public-appformats@w3.org > January 2008

Re: linking pre-check to POST and other requests?

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 17 Jan 2008 20:02:04 -0800
Message-ID: <479024BC.1080303@sicking.cc>
To: Ian Hickson <ian@hixie.ch>, public-appformats@w3.org

Thomas Roessler wrote:
> On 2008-01-16 23:22:59 +0000, Ian Hickson wrote:
> 
>> Actually it turns out that isn't a problem, because the server
>> can just re-do the security check on the actual request. (In fact
>> in the extreme it could just automatically reply "allow *" for
>> all OPTIONS requests, and then make the actual determination in
>> the real POST/DELETE/etc requests.)
> 
>> The reason for the preflight isn't for servers going forward,
>> it's just to make sure that existing servers aren't exposed to
>> cross-site request forgery attacks using APIs that rely on
>> Access-Control.
> 
> Errr, yes, thanks to Referer-Root you're right -- which indeed takes
> care of the POST/DELETE/etc cases.
> 
> Ignore this thread.  I shouldn't write e-mail when I'm tired.

I think this is a good point though. It's something that we should add 
to the security considerations so that server implementations are aware 
of this.

/ Jonas
Received on Friday, 18 January 2008 04:03:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:56:21 UTC