- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Sat, 23 Mar 2013 19:37:37 +0000
- To: WebAppSec WG <public-webappsec@w3.org>
On Tue, Mar 19, 2013 at 11:16 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > Is this set of URLs guaranteed to be same-origin somehow? Doing a > cross-origin POST request with a JSON entity body is not something > either <form> or XMLHttpRequest with CORS can do so would require at > least a CORS preflight. Note also that the invocation of fetch that is used does not limit credentials in any way. That seems like a bug. I created http://wiki.whatwg.org/wiki/HTTP_Fetch_Policy by the way where I try to document what kind of requests can be made from a website. The idea is to figure out if we actually have any kind of policy in place here or if we're just doing something making wild guesses about whether what we do is secure or not for the third party... I have the feeling we're quite inconsistent. -- http://annevankesteren.nl/
Received on Saturday, 23 March 2013 19:38:04 UTC