Sunava Dutta wrote:
Maciej Stachowiak [EMAIL PROTECTED] said:
<<But not exactly identical, since forms can't be used to POST XML content with a
proper MIME type cross-domain.>>
You're right-- setting an arbitrary request content-type is a capability not
present in HTML forms today. While we believe that this is a minimal increase
in attack surface, we agree that it's worth considering whether or not such
capability should be removed.
If removed, all XDR POST requests could be sent with:
Content-Type: text/plain; charset=UTF-8
Servers would then be flexible in interpreting the data in the higher-level
format they expect (JSON, XML, etc).
This assumes that the server can know a priori what type they expect.
This isn't necessarily the case for e.g., AtomPub servers. Or are they
supposed to guess the content type from the content body? That's surely
a recipe for security disasters down the road...