- From: Mark S. Miller <erights@google.com>
- Date: Sat, 21 Nov 2009 08:52:40 -0800
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Tyler Close <tyler.close@gmail.com>, public-webapps <public-webapps@w3.org>
On Sat, Nov 21, 2009 at 12:39 AM, Jonas Sicking <jonas@sicking.cc> wrote:
> I've only had time for a quick scan, but this looks like a very good proposal.
Thanks.
> Is there a reason why a full XMLHttpRequest API couldn't be used? I
> guess in its most simple incarnation things like setRequestHeader and
> .withCredentials would be removed.
>
> However technically speaking even setRequestHeader as well as
> arbitrary HTTP methods could be allowed if preflight requests were
> used. They would of course not contain any origin or referrer
> information. At a first glance this wouldn't expose any of the CSRF
> problems you are trying to avoid. (Granted, it's 12:30am and I've had
> a long day :) ).
>
> Or would you rather wait with that until later?
Exactly. We decided to separate Uniform Messaging into a Level One and
Level Two specs according to their need for pre-flight. With
pre-flight, additional HTTP methods, headers, and request entity media
types could all be supported without introducing any of the CSRF-like
problems we're trying to avoid. This first document is a draft only of
the Level One spec.
--
Cheers,
--MarkM
Received on Saturday, 21 November 2009 16:53:20 UTC