- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 18 Mar 2008 10:45:07 -0700
- To: Laurens Holst <lholst@students.cs.uu.nl>
- CC: Sunava Dutta <sunavad@windows.microsoft.com>, Maciej Stachowiak <mjs@apple.com>, Eric Lawrence <ericlaw@exchange.microsoft.com>, "Web API WG (public)" <public-webapi@w3.org>, "public-appformats@w3.org" <public-appformats@w3.org>, Chris Wilson <Chris.Wilson@microsoft.com>, Zhenbin Xu <zhenbinx@windows.microsoft.com>, Gideon Cohn <gidco@windows.microsoft.com>, Sharath Udupa <Sharath.Udupa@microsoft.com>, Doug Stamper <dstamper@exchange.microsoft.com>, Marc Silbey <marcsil@windows.microsoft.com>
Laurens Holst wrote: > Laurens Holst schreef: >> Or, if you really do not want to increase the attack surface, you >> should always send the content type application/x-www-form-urlencoded, >> and only allow request entities constructed through an API. Because >> servers only expect x-www-form-urlencoded and not text/plain, and >> servers might have parsing issues if the POST body is malformed, both >> leading to changes from what is currently possible with HTML and thus, >> security risks. > > Sorry, apparantly this is a misconception of mine, using > encoding="text/plain" you can apparantly already send arbitrary > requests. So ignore this paragraph please :). The rest does still apply. > > By the way, I do not see how requiring servers to ignore the request > entity content type and forcing them to do content sniffing makes things > more secure, instead of less. Though to be honest I would really like to figure out a way to disable cross-site POSTs even from forms. CSRF is a big problem with tons of sites vulnerable today. So I'd really like to not perpetuate the model of allowing cross-site POSTs. An interesting first step in that direction would be to disallow cross-site text/plain posts since they are so rare that it'd likely not affect many sites. / Jonas
Received on Tuesday, 18 March 2008 17:46:48 UTC