Anne van Kesteren wrote:
tlr has some doubts whether the distinction between <form> POST and
Access Control POST is sufficient enough to give Access Control POST a
preflight OPTIONS as it might led authors to think that they are
protected against cross-site POST requests while in reality, if they
don't do careful checking of the Content-Type header or require some
kind of magic string previously obtained using a normal GET request,
they are not.
We earlier decided to let authors perform the additional check and
require the preflight OPTIONS so I'll leave the specification as is
unless people start changing their minds...
The specific attack I was worried about was SOAP service providers.
These work by accepting XML data through POSTs and and can perform
potentially dangerous operations.
While it is currently possible to use <form>s to send POST requests to
such servers, it is not possible to send them using a proper XML content
type. Hopefully servers will not successfully parse the data without a
proper content type.
/ Jonas
