Laurens Holst wrote:
Laurens Holst schreef:
Or, if you really do not want to increase the attack surface, you
should always send the content type application/x-www-form-urlencoded,
and only allow request entities constructed through an API. Because
servers only expect x-www-form-urlencoded and not text/plain, and
servers might have parsing issues if the POST body is malformed, both
leading to changes from what is currently possible with HTML and thus,
security risks.
Sorry, apparantly this is a misconception of mine, using
encoding="text/plain" you can apparantly already send arbitrary
requests. So ignore this paragraph please :). The rest does still apply.
By the way, I do not see how requiring servers to ignore the request
entity content type and forcing them to do content sniffing makes things
more secure, instead of less.
Though to be honest I would really like to figure out a way to disable
cross-site POSTs even from forms. CSRF is a big problem with tons of
sites vulnerable today.
So I'd really like to not perpetuate the model of allowing cross-site
POSTs. An interesting first step in that direction would be to disallow
cross-site text/plain posts since they are so rare that it'd likely not
affect many sites.
/ Jonas
