On Tue, 2011-08-02 at 16:46 +0200, Anne van Kesteren wrote: > On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck > <philippe.deryck@cs.kuleuven.be> wrote: > > The CORS specification fails to protect legacy servers from POST > > messages with arbitrary body formatting. > > You can create pretty much any arbitrary message body you want using > application/x-www-form-urlencoded already by crafting smart names and > values so the real importance is in not being able to set Content-Type. > This is not a security problem as far as I can tell. Using a form still results in the use of = and & in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector. BEGIN:VCALENDAR VERSION:2.0 PRODID:-//hacksw/handcal//NONSGML v1.0//EN BEGIN:VEVENT UID:uid1@example.com DTSTAMP:19970714T170000Z ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com DTSTART:19970714T170000Z DTEND:19970715T035959Z SUMMARY:Bastille Day Party END:VEVENT END:VCALENDAR -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htmReceived on Wednesday, 3 August 2011 09:20:43 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:46 GMT