Re: (XMLHttpRequest 2) Proposal for cross-site extensions to XMLHttpRequest from Ian Hickson on 2006-04-17 (public-webapi@w3.org from April 2006)

From: Ian Hickson <ian@hixie.ch>
Date: Mon, 17 Apr 2006 21:17:00 +0000 (UTC)
To: Mark Nottingham <mnot@yahoo-inc.com>
Cc: public-webapi@w3.org
Message-ID: <Pine.LNX.4.62.0604172115400.21459@dhalsim.dreamhost.com>

On Mon, 17 Apr 2006, Mark Nottingham wrote:
> 
> AIUI, the specific vulnerability is form.submit() being used cross-site; 
> or are there other ways to do a automated POST?

I can't think of any off-hand at the moment.


> > Sure, that's why I'm proposing that non-GET requests should have the 
> > pre-flight check.
> 
> OK; I wasn't sure if you were retracting that or not.

I think we should retract it for POST. I agree we should keep it for 
non-GET and non-POST methods.


I'll post an updated proposal that takes into account comments so far 
later today.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Monday, 17 April 2006 21:17:13 UTC