- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 10 Jul 2008 23:45:04 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Webapps WG" <public-webapps@w3.org>
On Thu, 10 Jul 2008 13:21:33 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > Yes, I had gotten the impression that Flash would allow POSTs even if > there was no /crossdomain.xml file. I.e. that it would allow the actual > POST even if the preflight failed, it just wouldn't let you read the > data. > > If I'm wrong that definitely changes things and makes option 1 much less > viable. It seems Björn has some other data than I have. I used the following simple page together with request sniffing http://blog.monstuff.com/Flash4AJAX/static/Xdomain.html to figure out if everything had a preflight /crossdomain.xml GET request. Using Flash 9 on Ubuntu this appeared to be the case. >> Just allowing cross-site POST when Content-Type is >> application/x-www-form-urlencoded or text/plain seems bad as it a) >> encourages bad design to avoid a preflight and b) makes whitelisting >> even more fine-grained. Initially the distinction was just on methods, >> then it became headers, going further down to header values seems like >> a bad idea to me. I'd much rather go back to just GET versus everything >> else (i.e., methods). > > I agree it's bad, the question is if it's worse than option 3, which is > to not have IE compatibility. True. Another point to consider here is if we want compatibility with HTML forms "Web Forms" as using Access Control would enable more functionality for ordinary forms as well, such as exposing cross-site return data and allowing the CHICKEN method. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Thursday, 10 July 2008 21:45:30 UTC