16.03.2009, Χ 14:12, Anne van Kesteren ΞΑΠΙΣΑΜ(Α): >> An unrelated question about the same sentence is why the header >> field value is matched case insensitively. My understanding is that >> this rule was meant to prevent exposing unsuspecting servers to >> requests that couldn't be made with existing mechanisms such as >> form submission, and I'd be quite surprised if any major browser >> used anything but lower case here. > > Media types are ASCII case-insensitive. E.g. if someone does > > setRequestHeader("Content-type", "TEXT/Plain") > > that should just work. The difference is that when one does <form enctype="TEXT/Plain">, the MIME type on the wire is "text/plain", but with setRequestHeader, it's "TEXT/Plain". So, server-side code that does case-sensitive comparisons (something like if (contentType == "text/plain") ... else if (contentType == "multipart/form-data") else <assume application/x- www-form-urlencoded>) can be fooled. I'm not saying that this is a particularly likely a bug for servers to have, but it's also extremely easy to protect from in CORS. - WBR, Alexey ProskuryakovReceived on Monday, 16 March 2009 11:30:09 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:07 GMT