W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2009

Re: [CORS] Charset in content type

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 16 Mar 2009 17:25:48 +0100
To: "Alexey Proskuryakov" <ap@webkit.org>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <op.uqv7xabc64w2qv@annevk-macbook.lan>
On Mon, 16 Mar 2009 12:29:34 +0100, Alexey Proskuryakov <ap@webkit.org>  
> The difference is that when one does <form enctype="TEXT/Plain">, the  
> MIME type on the wire is "text/plain", but with setRequestHeader, it's  
> "TEXT/Plain". So, server-side code that does case-sensitive comparisons  
> (something like if (contentType == "text/plain") ... else if  
> (contentType == "multipart/form-data") else <assume application/x- 
> www-form-urlencoded>) can be fooled. I'm not saying that this is a  
> particularly likely a bug for servers to have, but it's also extremely  
> easy to protect from in CORS.

If we want to do normalization of media types it seems better to do that  
in XMLHttpRequest, no?

Anne van Kesteren
Received on Monday, 16 March 2009 16:26:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 27 October 2017 07:26:14 UTC