Laurens Holst wrote: > Laurens Holst schreef: >> Or, if you really do not want to increase the attack surface, you >> should always send the content type application/x-www-form-urlencoded, >> and only allow request entities constructed through an API. Because >> servers only expect x-www-form-urlencoded and not text/plain, and >> servers might have parsing issues if the POST body is malformed, both >> leading to changes from what is currently possible with HTML and thus, >> security risks. > > Sorry, apparantly this is a misconception of mine, using > encoding="text/plain" you can apparantly already send arbitrary > requests. So ignore this paragraph please :). The rest does still apply. > > By the way, I do not see how requiring servers to ignore the request > entity content type and forcing them to do content sniffing makes things > more secure, instead of less. Though to be honest I would really like to figure out a way to disable cross-site POSTs even from forms. CSRF is a big problem with tons of sites vulnerable today. So I'd really like to not perpetuate the model of allowing cross-site POSTs. An interesting first step in that direction would be to disallow cross-site text/plain posts since they are so rare that it'd likely not affect many sites. / JonasReceived on Tuesday, 18 March 2008 17:46:48 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 March 2008 17:46:49 GMT