Re: CORS performance from Jonas Sicking on 2015-02-19 (public-webappsec@w3.org from February 2015)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 19 Feb 2015 15:20:57 -0800
To: Brad Hill <hillbrad@gmail.com>
Cc: Dale Harvey <dale@arandomurl.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>
Message-ID: <CA+c2ei-KWdQ22CrPThX7XJSexQ2Ea3MqW50ZTNqT9ygVBM9NdA@mail.gmail.com>

On Thu, Feb 19, 2015 at 12:38 PM, Brad Hill <hillbrad@gmail.com> wrote:
> I think that POSTing JSON would probably expose to CSRF a lot of things that
> work over HTTP but don't expect to be interacted with by web browsers in
> that manner.  That's why the recent JSON encoding for forms mandates that it
> be same-origin only.

Note that you can already POST JSON cross-origin. Without any
preflight. The only thing you can't do is to set the "Content-Type"
header to the official JSON mimetype.

So the question is, does the server check that the Content-Type header
is set to "application/json" and if not abort any processing?

/ Jonas

Received on Thursday, 19 February 2015 23:21:53 UTC