W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [CORS] Charset in content type

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 16 Mar 2009 17:25:48 +0100
To: "Alexey Proskuryakov" <ap@webkit.org>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <op.uqv7xabc64w2qv@annevk-macbook.lan>
On Mon, 16 Mar 2009 12:29:34 +0100, Alexey Proskuryakov <ap@webkit.org>  
wrote:
> The difference is that when one does <form enctype="TEXT/Plain">, the  
> MIME type on the wire is "text/plain", but with setRequestHeader, it's  
> "TEXT/Plain". So, server-side code that does case-sensitive comparisons  
> (something like if (contentType == "text/plain") ... else if  
> (contentType == "multipart/form-data") else <assume application/x- 
> www-form-urlencoded>) can be fooled. I'm not saying that this is a  
> particularly likely a bug for servers to have, but it's also extremely  
> easy to protect from in CORS.

If we want to do normalization of media types it seems better to do that  
in XMLHttpRequest, no?


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Monday, 16 March 2009 16:26:39 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:30 GMT