W3C home > Mailing lists > Public > public-appformats@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 17 Mar 2008 23:02:10 +0100
To: Sunava Dutta <sunavad@windows.microsoft.com>
Cc: Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Message-ID: <20080317220210.GP159@iCoaster.does-not-exist.org>

On 2008-03-17 14:29:54 -0700, Sunava Dutta wrote:

> If removed, all XDR POST requests could be sent with:
> 
>                 Content-Type: text/plain; charset=UTF-8

> Servers would then be flexible in interpreting the data in the
> higher-level format they expect (JSON, XML, etc).

Why text/plain, as opposed to, say,
application/x-www-form-urlencoded?

Or even some other content type?  I'm worried that you're suggesting
some pretty intrusive profiling of HTTP here, effectively
*requiring* content sniffing to deal with any kind of form content.

That creates its own bit of complexity and possibilities for
insecurities down the road.

I'd rather we deal with the added attack surface due to being able
to POST properly labelled XML content than introducing another
divergence into how HTTP headers are interpreted by Web
applications.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Monday, 17 March 2008 22:02:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 17 March 2008 22:02:48 GMT