Re: IE Team's Proposal for Cross Site Requests from Laurens Holst on 2008-03-18 (public-appformats@w3.org from March 2008)

From: Laurens Holst <lholst@students.cs.uu.nl>
Date: Tue, 18 Mar 2008 14:51:52 +0100
To: Sunava Dutta <sunavad@windows.microsoft.com>
CC: Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Message-ID: <47DFC8F8.4000805@students.cs.uu.nl>

Laurens Holst schreef:
> Or, if you really do not want to increase the attack surface, you 
> should always send the content type application/x-www-form-urlencoded, 
> and only allow request entities constructed through an API. Because 
> servers only expect x-www-form-urlencoded and not text/plain, and 
> servers might have parsing issues if the POST body is malformed, both 
> leading to changes from what is currently possible with HTML and thus, 
> security risks. 

Sorry, apparantly this is a misconception of mine, using 
encoding="text/plain" you can apparantly already send arbitrary 
requests. So ignore this paragraph please :). The rest does still apply.

By the way, I do not see how requiring servers to ignore the request 
entity content type and forcing them to do content sniffing makes things 
more secure, instead of less.


~Grauw

-- 
Ushiko-san! Kimi wa doushite, Ushiko-san nan da!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Laurens Holst, student, university of Utrecht, the Netherlands.
Website: www.grauw.nl. Backbase employee; www.backbase.com.

Received on Tuesday, 18 March 2008 13:52:43 UTC