On 1/17/08, Jonas Sicking <[EMAIL PROTECTED]> wrote: > > Anne van Kesteren wrote: > > > > tlr has some doubts whether the distinction between <form> POST and > > Access Control POST is sufficient enough to give Access Control POST a > > preflight OPTIONS as it might led authors to think that they are > > protected against cross-site POST requests while in reality, if they > > don't do careful checking of the Content-Type header or require some > > kind of magic string previously obtained using a normal GET request, > > they are not. > > > > We earlier decided to let authors perform the additional check and > > require the preflight OPTIONS so I'll leave the specification as is > > unless people start changing their minds... > > The specific attack I was worried about was SOAP service providers. > These work by accepting XML data through POSTs and and can perform > potentially dangerous operations.
Dangerous operations aren't specific to SOAP. Any POST-accepting resource can do them. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
