Sunava Dutta schreef:
Maciej Stachowiak [EMAIL PROTECTED] said: <<But not exactly identical, since forms can't be used to POST XML content with a proper MIME type cross-domain.>>You're right-- setting an arbitrary request content-type is a capability not present in HTML forms today. While we believe that this is a minimal increase in attack surface, we agree that it's worth considering whether or not such capability should be removed. If removed, all XDR POST requests could be sent with: Content-Type: text/plain; charset=UTF-8 Servers would then be flexible in interpreting the data in the higher-level format they expect (JSON, XML, etc).
What? No, you should send the requests with no Content-Type at all, as the Content-Type is not known.
Or, if you really do not want to increase the attack surface, you should always send the content type application/x-www-form-urlencoded, and only allow request entities constructed through an API. Because servers only expect x-www-form-urlencoded and not text/plain, and servers might have parsing issues if the POST body is malformed, both leading to changes from what is currently possible with HTML and thus, security risks.
Note by the way that cross-site XHR basically works on a model that normally ONLY allows GET requests (addressing my concerns on POST in my previous mail), contrary to XDR which allows GET and POST. So this issue you’re having does not apply to XHR. 1-0 for XHR.
Cross-site XHR has a special opt-in method to allow POST, DELETE and PUT requests as well, when it is needed. This will not put any existing sites at risk, because it’s opt-in (unlike XDR’s POST), the server needs to EXPLICITLY allow them for a specific resource. Allowing these methods at all is necessary to prevent sites sites from overloading the GET request in order to acquire their desired functionality. 2-0 for XHR.
~Grauw -- Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Laurens Holst, student, university of Utrecht, the Netherlands. Website: www.grauw.nl. Backbase employee; www.backbase.com.
begin:vcard fn:Laurens Holst n:Holst;Laurens email;internet:[EMAIL PROTECTED] tel;cell:(+31) 06-41765048 version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
