Re: IE Team's Proposal for Cross Site Requests

Thomas Roessler wrote:
> On 2008-03-17 14:29:54 -0700, Sunava Dutta wrote:
> 
>> If removed, all XDR POST requests could be sent with:
>>
>>                 Content-Type: text/plain; charset=UTF-8
> 
>> Servers would then be flexible in interpreting the data in the
>> higher-level format they expect (JSON, XML, etc).
> 
> Why text/plain, as opposed to, say,
> application/x-www-form-urlencoded?
> 
> Or even some other content type?  I'm worried that you're suggesting
> some pretty intrusive profiling of HTTP here, effectively
> *requiring* content sniffing to deal with any kind of form content.
> 
> That creates its own bit of complexity and possibilities for
> insecurities down the road.
> 
> I'd rather we deal with the added attack surface due to being able
> to POST properly labelled XML content than introducing another
> divergence into how HTTP headers are interpreted by Web
> applications.

+1.

Removing the ability to properly specify the content type is a bug, not 
a feature.

(BTW: the same applies to other kinds of profiling, such as by HTTP 
method name)

BR, Julian

Received on Monday, 17 March 2008 22:14:25 UTC