- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 03 Dec 2009 19:04:35 +0100
- To: Tyler Close <tyler.close@gmail.com>
- CC: Daniel Stenberg <daniel@haxx.se>, Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
Tyler Close wrote: > ... > For GET and POST requests that can be sent by the HTML form element, > following the redirect is allowed by SOP. For more detail on the > redirects allowed by SOP, see: > > http://lists.w3.org/Archives/Public/public-webapps/2009OctDec/att-0931/draft.html > > So, foo.example.com may be allowed to redirect a POST to > bar.example.com, or any other origin. > > The SOP networking restrictions on requests only come into play for > methods other than GET and POST, or for POST requests that have > certain headers. Thats why I've been using PUT in this discussion. > ... Which of course begs the question why PUT is considered more dangerous than POST... BR, Julian
Received on Thursday, 3 December 2009 18:05:21 UTC