Re: Reports feature violates the same-origin policy

So we change the MIME type to text/plain (allowed) and the text happens to
be formatted as JSON. I don't see how that helps, but it would be
spec-compliant.
-Dan Veditz

On Wed, Feb 15, 2017 at 7:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> Reports go across origins and don't follow the MIME type safelist from
> CORS/HTML forms. It seems problematic that we keep breaking our own
> rules with regards to the same-origin policy, especially as it doesn't
> seem to happen on purpose.
>
> Note that simply adding these MIME types to the safelist would not be
> great either, as the servers that are currently "guaranteed" to get
> JSON (depends a little bit on whether tokens are used or whether it's
> an intranet as I believe credentials are not included in these
> reports), might then be able to get more carefully crafted attack
> payloads.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Wednesday, 15 February 2017 17:23:52 UTC