On 2008-01-16 23:22:59 +0000, Ian Hickson wrote: > Actually it turns out that isn't a problem, because the server > can just re-do the security check on the actual request. (In fact > in the extreme it could just automatically reply "allow *" for > all OPTIONS requests, and then make the actual determination in > the real POST/DELETE/etc requests.)
> The reason for the preflight isn't for servers going forward, > it's just to make sure that existing servers aren't exposed to > cross-site request forgery attacks using APIs that rely on > Access-Control. Errr, yes, thanks to Referer-Root you're right -- which indeed takes care of the POST/DELETE/etc cases. Ignore this thread. I shouldn't write e-mail when I'm tired. -- Thomas Roessler, W3C <[EMAIL PROTECTED]>
