W3C home > Mailing lists > Public > public-webapi@w3.org > March 2008

Re: IE Team's Proposal for Cross Site Requests

From: John Panzer <jpanzer@acm.org>
Date: Mon, 17 Mar 2008 21:18:05 -0700
Message-ID: <47DF427D.2040100@acm.org>
To: Sunava Dutta <sunavad@windows.microsoft.com>
CC: Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>

Sunava Dutta wrote:
> Maciej Stachowiak [mjs@apple.com] said:
> <<But not exactly identical, since forms can't be used to POST XML content with a proper MIME type cross-domain.>>
>
> You're right-- setting an arbitrary request content-type is a capability not present in HTML forms today.  While we believe that this is a minimal increase in attack surface, we agree that it's worth considering whether or not such capability should be removed.
>
> If removed, all XDR POST requests could be sent with:
>
>                 Content-Type: text/plain; charset=UTF-8
>
> Servers would then be flexible in interpreting the data in the higher-level format they expect (JSON, XML, etc).
>   
This assumes that the server can know a priori what type they expect.  
This isn't necessarily the case for e.g., AtomPub servers.  Or are they 
supposed to guess the content type from the content body?  That's surely 
a recipe for security disasters down the road...
Received on Tuesday, 18 March 2008 04:14:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 18 March 2008 04:14:53 GMT