- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 16 Jul 2008 15:11:03 -0400
- To: Anne van Kesteren <annevk@opera.com>
- Cc: Webapps WG <public-webapps@w3.org>
Anne van Kesteren wrote: > > On Thu, 10 Jul 2008 13:21:33 +0200, Jonas Sicking <jonas@sicking.cc> wrote: >> Yes, I had gotten the impression that Flash would allow POSTs even if >> there was no /crossdomain.xml file. I.e. that it would allow the >> actual POST even if the preflight failed, it just wouldn't let you >> read the data. >> >> If I'm wrong that definitely changes things and makes option 1 much >> less viable. > > It seems Björn has some other data than I have. I used the following > simple page together with request sniffing > > http://blog.monstuff.com/Flash4AJAX/static/Xdomain.html > > to figure out if everything had a preflight /crossdomain.xml GET > request. Using Flash 9 on Ubuntu this appeared to be the case. > > >>> Just allowing cross-site POST when Content-Type is >>> application/x-www-form-urlencoded or text/plain seems bad as it a) >>> encourages bad design to avoid a preflight and b) makes whitelisting >>> even more fine-grained. Initially the distinction was just on >>> methods, then it became headers, going further down to header values >>> seems like a bad idea to me. I'd much rather go back to just GET >>> versus everything else (i.e., methods). >> >> I agree it's bad, the question is if it's worse than option 3, which >> is to not have IE compatibility. > > True. Another point to consider here is if we want compatibility with > HTML forms "Web Forms" as using Access Control would enable more > functionality for ordinary forms as well, such as exposing cross-site > return data and allowing the CHICKEN method. Indeed. Though option 1 would also allow us to do that. / Jonas
Received on Wednesday, 16 July 2008 19:12:39 UTC