Re: IE Team's Proposal for Cross Site Requests

Laurens Holst schreef:
> Or, if you really do not want to increase the attack surface, you 
> should always send the content type application/x-www-form-urlencoded, 
> and only allow request entities constructed through an API. Because 
> servers only expect x-www-form-urlencoded and not text/plain, and 
> servers might have parsing issues if the POST body is malformed, both 
> leading to changes from what is currently possible with HTML and thus, 
> security risks. 

Sorry, apparantly this is a misconception of mine, using 
encoding="text/plain" you can apparantly already send arbitrary 
requests. So ignore this paragraph please :). The rest does still apply.

By the way, I do not see how requiring servers to ignore the request 
entity content type and forcing them to do content sniffing makes things 
more secure, instead of less.


~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.

Received on Tuesday, 18 March 2008 13:52:42 UTC