- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 22 Nov 2018 13:32:47 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 November 2018 13:33:10 UTC
@MattMenke2 made me think of another "bypass", though it would only affect naïve parsers: * `text/plain;,application/json` * `text/plain;charset=utf-8,application/json` These would only be successful with a server that splits on `,` and uses the last value, which isn't compliant per HTTP. An easy fix would be to ban 0x2C `,`. I thought I'd raise it here so it can be considered. I'm sorry for all the recent changes to this and that not everything was considered at once. Hopefully the bugs and tests help mitigate the churn annoyance. cc @yutakahirano @youennf -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/838
Received on Thursday, 22 November 2018 13:33:10 UTC