Thomas Roessler wrote:
On 2008-01-16 23:22:59 +0000, Ian Hickson wrote:
Actually it turns out that isn't a problem, because the server
can just re-do the security check on the actual request. (In fact
in the extreme it could just automatically reply "allow *" for
all OPTIONS requests, and then make the actual determination in
the real POST/DELETE/etc requests.)
The reason for the preflight isn't for servers going forward,
it's just to make sure that existing servers aren't exposed to
cross-site request forgery attacks using APIs that rely on
Access-Control.
Errr, yes, thanks to Referer-Root you're right -- which indeed takes
care of the POST/DELETE/etc cases.
Ignore this thread. I shouldn't write e-mail when I'm tired.
I think this is a good point though. It's something that we should add
to the security considerations so that server implementations are aware
of this.
/ Jonas
