- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 02 Aug 2011 16:46:59 +0200
- To: public-webapps@w3.org, "Philippe De Ryck" <philippe.deryck@cs.kuleuven.be>
- Cc: "Giles Hogben" <Giles.Hogben@enisa.europa.eu>, "Lieven Desmet" <Lieven.Desmet@cs.kuleuven.be>
On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck <philippe.deryck@cs.kuleuven.be> wrote: > The CORS specification fails to protect legacy servers from POST > messages with arbitrary body formatting. You can create pretty much any arbitrary message body you want using application/x-www-form-urlencoded already by crafting smart names and values so the real importance is in not being able to set Content-Type. This is not a security problem as far as I can tell. -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 2 August 2011 14:47:32 UTC