- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Wed, 08 Jan 2014 12:12:38 -0500
- To: public-web-perf@w3.org
On 1/8/14 12:00 PM, doug.turner@gmail.com wrote: > Also, if POST is used to send request data with a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain, e.g. if the POST request sends an XML payload to the server using application/xml or text/xml, then the request is preflighted. This is true for XHR, because XHR always adds the "Content-Type" header to the "author request headers" list. Beacon should be doing that too, presumably, since it in fact allows the page author to send an arbitrary Content-Type value via passing a Blob to sendBeacon. > On Jan 8, 2014, at 1:17 AM, Sigbjorn Finne <sof@opera.com> wrote: > > The Beacon spec doesn't set "author request headers" when issuing a cross-origin request Then it has a security bug, given the Blob situation. -Boris
Received on Wednesday, 8 January 2014 17:13:07 UTC