Re: CORS performance from Brad Hill on 2015-02-19 (public-webappsec@w3.org from February 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Thu, 19 Feb 2015 20:38:55 +0000
To: Jonas Sicking <jonas@sicking.cc>, Dale Harvey <dale@arandomurl.com>
Cc: Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>
Message-ID: <CAEeYn8jf9m3t7ZBWJn_ooUvP69zHJ2H17eNDsB1JZe4EDyo5hw@mail.gmail.com>

I think that POSTing JSON would probably expose to CSRF a lot of things
that work over HTTP but don't expect to be interacted with by web browsers
in that manner.  That's why the recent JSON encoding for forms mandates
that it be same-origin only.

On Thu Feb 19 2015 at 12:23:48 PM Jonas Sicking <jonas@sicking.cc> wrote:

> On Thu, Feb 19, 2015 at 4:49 AM, Dale Harvey <dale@arandomurl.com> wrote:
> >> so presumably it is OK to set the Content-Type to text/plain
> >
> > Thats not ok, but may explain my confusion, is Content-Type considered a
> > Custom Header that will always trigger a preflight? if so then none of
> the
> > caching will apply, CouchDB requires sending the appropriate content-type
>
> We most likely can consider the content-type header as *not* "custom".
> I was one of the people way back when that pointed out that there's a
> theoretical chance that allowing arbitrary content-type headers could
> cause security issues. But it seems highly theoretical.
>
> I suspect that the mozilla security team would be fine with allowing
> arbitrary content-types to be POSTed though. Worth asking. I can't
> speak for other browser vendors of course.
>
> / Jonas
>
>

Received on Thursday, 19 February 2015 20:39:24 UTC