Hi All,
During the F2F we talked about doing preflight-less POSTs in order to be
compatible with microsofts security model and allow them follow the AC
spec for their feature set.
Unfortunately when I brought this up at mozilla there was concern about
doing cross-site POSTing with content types other than what <form>s
already allow. The concern was that it could make servers exploitable,
which weren't today.
So I see a few ways forward:
1. Build more confidence about that this would not in fact break servers.
I'm working on this method. I've contacted Adobe since I think flash
currently allow cross-site POSTing with arbitrary Content-Types. I've
also contacted Microsoft to see if they have gotten any feedback on IE8
Beta 1 where XDR allow arbitrary content types to see if they have
gotten any feedback there. Silverlight also support this feature.
I'd also like to make a general shout-out here to see how people feel
about this, or if they know of any other protocols that send arbitrary
Content-Types with cross-site POSTs that we could use to gather data
about if this makes sites exploitable.
If anyone has pointers to any research that has been done on flash in
general, or its cross-site posting mechanism in particular would be
great, even if it doesn't mention this specific issue.
2. Don't require pre-flight for POSTs 'text/plain', but require it
otherwise.
The downside of this solution is that it encourages people to use
'text/plain' as Content-Type for everything they send which has its
downsides.
The upshot is that this would still allow compat with XDR.
3. Always pre-flight POSTs
This would abandon any hope of allowing XDR to use Access-Control as
securit protocol.
Unless microsoft were able to implement preflights in IE8, but it seems
like it's really late in their release schedule for such a large change.
One thing that I really like about proposal 1 is the simplicity. We
would say "POST can be done cross origin without any checking, so you
need to protect yourself against that". Any other proposal is basically
"POST can be done cross origin without any checking, but only for these
here values of the 'Content-Type' header. Except that it looks like in
Access-Control you can rely on those requests not coming in. Oh, and if
you are concerned about users of Flash and Silverlight being exploitable
you do need to worry about all values for 'Content-Type'."
/ Jonas
