W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > September 2009

[Bug 7709] New: Prevent PUT/DELETE cross-origin

From: <bugzilla@wiggum.w3.org>
Date: Wed, 23 Sep 2009 12:38:15 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-7709-2486@http.www.w3.org/Bugs/Public/>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=7709

           Summary: Prevent PUT/DELETE cross-origin
           Product: HTML WG
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HTML5 spec bugs
        AssignedTo: dave.null@w3.org
        ReportedBy: annevk@opera.com
         QAContact: public-html-bugzilla@w3.org
                CC: ian@hixie.ch, mike@w3.org, public-html@w3.org


I think it is great that PUT and DELETE are now supported in HTML Forms but I
think we cannot make them go cross-origin without introducing new potential
attacks so they need to be behind a same-origin check. This is certainly not
ideal, but I do not see any other way of making this work perhaps short of
using CORS, but I'm not sure we want to go there just yet.


-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Wednesday, 23 September 2009 12:38:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:01 UTC