Open Bug 1052423 Opened 10 years ago Updated 2 years ago

Prevent XMLHttpRequests with methods except for GET, HEAD or OPTIONS in prerendered documents

Categories

(Core :: DOM: Core & HTML, defect, P5)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect

Tracking

()

People

(Reporter: ehsan.akhgari, Unassigned)

References

(Blocks 1 open bug)

Details

POST specifically would be super dangerous...
Why in the world should we do this to POST?  

(1) There's been no mention of this that I'm aware of in the whatwg mailing lists.  
(2) Are you thinking this should be for content-only, or are you thinking of whacking privileged code support for this as well?
(3) Is it because multipart/form-data is hard to get right?  That might be an issue for file uploads (which is a whole different story) or large fields of data, but x-www-form-urlencoded works fine most of the time.
(4) XHR POST has been there from the very beginning; it's why XHR.send() takes an argument, for the body of the request.  This would be a major change away from the standard.
(In reply to Alex Vincent [:WeirdAl] from comment #1)
> Why in the world should we do this to POST?  

Sorry incomplete bug title.
Summary: Prevent XMLHttpRequests with methods except for GET, HEAD or OPTIONS → Prevent XMLHttpRequests with methods except for GET, HEAD or OPTIONS in prerendered documents
https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven't been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.
Priority: -- → P5
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.