W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2011

Re: [cors] Legacy Servers: POST Body Format

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 02 Aug 2011 16:46:59 +0200
To: public-webapps@w3.org, "Philippe De Ryck" <philippe.deryck@cs.kuleuven.be>
Cc: "Giles Hogben" <Giles.Hogben@enisa.europa.eu>, "Lieven Desmet" <Lieven.Desmet@cs.kuleuven.be>
Message-ID: <op.vzlcolpx64w2qv@annevk-macbookpro.local>
On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck  
<philippe.deryck@cs.kuleuven.be> wrote:
> The CORS specification fails to protect legacy servers from POST
> messages with arbitrary body formatting.

You can create pretty much any arbitrary message body you want using  
application/x-www-form-urlencoded already by crafting smart names and  
values so the real importance is in not being able to set Content-Type.  
This is not a security problem as far as I can tell.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 2 August 2011 14:47:32 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT