User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:126.96.36.199) Gecko/20091102 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:188.8.131.52) Gecko/20091102 Firefox/3.5.5
When sending an cross site domain POST request with an application/x-www-form-urlencoded Content-Type, the request becomes preflighted. This contradicts the documentation in https://developer.mozilla.org/en/HTTP_access_control#Simple_requests .
Steps to Reproduce:
1. Open the uploaded example file
2. Click on the 'URL encoded post' button
An OPTIONS (prefilghted) request is send.
A normal POST request should be send.
Created attachment 415618 [details]
Example HTML file
Yeah, I decided to be a bit stricter than the spec here. My concern was that while you can send cross-site application/x-www-form-urlencoded requests right now, they can't be arbitrarily formatted. So possibly allowing arbitrary formatting could expose security issues in servers.
Though probably that is overly paranoid.
I understand your concerns now. A very funny XKCD strip comes to mind: http://www.xkcd.com/327/ . :)
As you have clearly put a lot more thought into this than I have, I leave it up to you to decide to mark this bug as a 'Won't fix' or not.
Nice to know that I'm not crazy, you're just not following the spec. I couldn't figure out why, when all I was changing was the content-type, requests suddenly got preflighted. I disagree with your paranoid decision on the following grounds:
a) Some server software is built to specifically use x-www-form-urlencoded. That happens to be our scenario.
b) Not everyone can deal with pre-flighting. In our case, the destination server has a security model (yay for IIS) that applies to all requests -- GET, POST, and OPTIONS alike. The browser refuses to follow-up on a preflight if the OPTIONS request comes back with a 401 Unauthorized, which was sent because the server is trying to initiate NTLM authentication. So we need a solution that avoids pre-flight, if we want to avoid writing a whole filter/module just to bypass security just on OPTIONS requests, just so we can get FF to finish what it started. Or you could make FF allow for 401-NEGOTIATE responses, negotiate all the way through the OPTIONS request, get permission, then make the actual request. I wouldn't mind, though it's not ideal either.
c) You're not protecting the server anyway. It's always been possible for someone to attack a server with spoofed, malicious requests, and if they couldn't handle x-www-form-urlencoded before, this isn't opening them up to anything new.
d) There's a spec. The spec says this should be allowed.
e) Your own documentation says it's allowed, which drove me absolutely batty trying to diagnose this: https://developer.mozilla.org/En/HTTP_access_control#Simple_requests
f) I like XKCD as well as the next guy, but ... please? Pretty please fix this?
Side note: we discovered that .withCredentials doesn't just mean "if the server asks for them, send them" -- it means "the server should ask you, and if it doesn't, refuse to finish the request you preflighted". That's confusing. Luckily, everything we talk to should ask for credentials, otherwise we'd be having to turn this flag on/off all over the place.
This seems to be fixed in Firefox 4. See: https://developer.mozilla.org/En/HTTP_access_control#Preflighted_requests
Starting in Gecko 2.0 (Firefox 4 / Thunderbird 3.3 / SeaMonkey 2.1), the text/plain, application/x-www-form-urlencoded, and multipart/form-data data encodings can all be sent cross-site without preflighting. Previously, only text/plain could be sent without preflighting.
I just checked it with Firefox 5 and everything seems to be working as expected. Please close this bug.
Done and done. This is indeed fixed.