I’ve seen articles and posts all over (including SO) on this topic, and the prevailing commentary is that same-origin policy prevents a form POST across domains. The only place I’ve seen someone suggest that same-origin policy does not apply to form posts, is here.
I’d like to have an answer from a more “official” or formal source. For example, does anyone know the RFC that addresses how same-origin does or does not affect a form POST?
clarification: I am not asking if a GET or POST can be constructed and sent to any domain. I am asking:
- if Chrome, IE, or Firefox will allow content from domain ‘Y’ to send a POST to domain ‘X’
- if the server receiving the POST will actually see any form values at all. I say this because the majority of online discussion records testers saying the server received the post, but the form values were all empty / stripped out.
- What official document (i.e. RFC) explains what the expected behavior is (regardless of what the browsers have currently implemented).
Incidentally, if same-origin does not affect form POSTs – then it makes it somewhat more obvious of why anti-forgery tokens are necessary. I say “somewhat” because it seems too easy to believe that an attacker could simply issue an HTTP GET to retrieve a form containing the anti-forgery token, and then make an illicit POST which contains that same token. Comments?
The same origin policy is applicable only for browser side programming languages. So if you try to post to a different server than the origin server using JavaScript, then the same origin policy comes into play but if you post directly from the form i.e. the action points to a different server like:
and there is no javascript involved in posting the form, then the same origin policy is not applicable.
See wikipedia for more information