W3C home > Mailing lists > Public > public-html@w3.org > February 2014

Re: Extension specification proposal: JSON form submission

From: Manuel Strehl <svg@manuel-strehl.de>
Date: Wed, 26 Feb 2014 09:39:34 +0100
To: public-html@w3.org
Message-ID: <363219e46b119785adeb7e8cf50f5cd8@xa8.serverdomain.org>
Hi,

a security question: should UAs guard against this?

<input name="foo[0]" value="a">
<input name="foo[9999999999]" value="b">

sending a huge response containing mainly "null"s? It could provide a 
means of DDoS attacks via CSRF. Should the spec define a cut-off length, 
or should it be left to implementors?

Manuel

Am 25.2.2014 17:00, schrieb Robin Berjon:
> Hi all,
> 
> I've put together a small and simple extension specification proposal.
> Essentially, it adds "application/json" as a potential enctype for
> HTML forms so that submitting JSON directly from forms becomes
> possible.
> 
> Since just reproducing existing encodings in JSON syntax would bring
> relatively little value to the table, the JSON encoding makes it
> possible to generate structured JSON from forms based on simple
> conventions for the name attribute.
> 
> You can read it here:
> 
>     http://darobin.github.io/formic/specs/json/
> 
> If the group agrees, I'd like to see this taken up as a deliverable.
> 
> Enjoy!
Received on Wednesday, 26 February 2014 08:39:58 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:37 UTC