- From: John Panzer <jpanzer@acm.org>
- Date: Mon, 17 Mar 2008 21:18:05 -0700
- To: Sunava Dutta <sunavad@windows.microsoft.com>
- CC: Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Sunava Dutta wrote: > Maciej Stachowiak [mjs@apple.com] said: > <<But not exactly identical, since forms can't be used to POST XML content with a proper MIME type cross-domain.>> > > You're right-- setting an arbitrary request content-type is a capability not present in HTML forms today. While we believe that this is a minimal increase in attack surface, we agree that it's worth considering whether or not such capability should be removed. > > If removed, all XDR POST requests could be sent with: > > Content-Type: text/plain; charset=UTF-8 > > Servers would then be flexible in interpreting the data in the higher-level format they expect (JSON, XML, etc). > This assumes that the server can know a priori what type they expect. This isn't necessarily the case for e.g., AtomPub servers. Or are they supposed to guess the content type from the content body? That's surely a recipe for security disasters down the road...
Received on Tuesday, 18 March 2008 04:14:50 UTC