Re: Issue #356: Form-encode Expect-CT report bodies?

On Fri, Jun 9, 2017 at 7:42 AM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 9 June 2017 at 16:38, Emily Stark <estark@google.com> wrote:
> > Does anyone else have an opinion? If not, I'll probably go with
> text/plain.
>
>
> After considering this, I would prefer to have this added to the CORS
> exception list in the same way that CSP reporting is.  It is better to
> have an accurate MIME type with an exception and accompanying analysis
> of why it is safe to send these payloads than it is to just have the
> spec try to route around the problem (tempting and easy as that might
> be).
>

CSP reporting isn't added to the CORS whitelist. It's been in violation of
CORS for years and there are some vague plans to fix it by sending
preflights, but adding it to the whitelist hasn't really been discussed.
Anne has said that he prefers not to add more to the whitelist, which I
think is a reasonable stance. (see
https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0009.html --
though to be fair, the same text/plain idea is rejected in that thread as
well)

In addition to the fact that there's not really any principled reason for
expanding the whitelist, it would mean that, say, an XHR can send the new
header value, which shouldn't really be allowed.

Received on Friday, 9 June 2017 14:54:39 UTC