- From: Frederik Braun <fbraun@mozilla.com>
- Date: Wed, 15 Feb 2017 19:14:33 +0100
- To: public-webappsec@w3.org
On 15.02.2017 19:01, Anne van Kesteren wrote: > On Wed, Feb 15, 2017 at 6:22 PM, Daniel Veditz <dveditz@mozilla.com> wrote: >> So we change the MIME type to text/plain (allowed) and the text happens to >> be formatted as JSON. I don't see how that helps, but it would be >> spec-compliant. > > That means that a server that accepts JSON payloads and carefully > checks the MIME type of the incoming request would not be vulnerable > if this was used maliciously somehow. > > That, or we add it to the MIME type list. Either way, the server has to check it's JSON. Endpoints had to be careful with spoofed requests already, except that we're adding the intranet now.
Received on Wednesday, 15 February 2017 18:15:08 UTC