Thomas Roessler wrote: > On 2008-03-17 14:29:54 -0700, Sunava Dutta wrote: > >> If removed, all XDR POST requests could be sent with: >> >> Content-Type: text/plain; charset=UTF-8 > >> Servers would then be flexible in interpreting the data in the >> higher-level format they expect (JSON, XML, etc). > > Why text/plain, as opposed to, say, > application/x-www-form-urlencoded? > > Or even some other content type? I'm worried that you're suggesting > some pretty intrusive profiling of HTTP here, effectively > *requiring* content sniffing to deal with any kind of form content. > > That creates its own bit of complexity and possibilities for > insecurities down the road. > > I'd rather we deal with the added attack surface due to being able > to POST properly labelled XML content than introducing another > divergence into how HTTP headers are interpreted by Web > applications. +1. Removing the ability to properly specify the content type is a bug, not a feature. (BTW: the same applies to other kinds of profiling, such as by HTTP method name) BR, JulianReceived on Monday, 17 March 2008 22:14:25 UTC
This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:50:09 UTC