On Mon, 16 Mar 2009 12:29:34 +0100, Alexey Proskuryakov <ap@webkit.org> wrote: > The difference is that when one does <form enctype="TEXT/Plain">, the > MIME type on the wire is "text/plain", but with setRequestHeader, it's > "TEXT/Plain". So, server-side code that does case-sensitive comparisons > (something like if (contentType == "text/plain") ... else if > (contentType == "multipart/form-data") else <assume application/x- > www-form-urlencoded>) can be fooled. I'm not saying that this is a > particularly likely a bug for servers to have, but it's also extremely > easy to protect from in CORS. If we want to do normalization of media types it seems better to do that in XMLHttpRequest, no? -- Anne van Kesteren http://annevankesteren.nl/Received on Monday, 16 March 2009 16:26:39 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 7 December 2009 10:43:07 GMT