Re: Extension specification proposal: JSON form submission

Hi,

a security question: should UAs guard against this?

<input name="foo[0]" value="a">
<input name="foo[9999999999]" value="b">

sending a huge response containing mainly "null"s? It could provide a 
means of DDoS attacks via CSRF. Should the spec define a cut-off length, 
or should it be left to implementors?

Manuel

Am 25.2.2014 17:00, schrieb Robin Berjon:
> Hi all,
> 
> I've put together a small and simple extension specification proposal.
> Essentially, it adds "application/json" as a potential enctype for
> HTML forms so that submitting JSON directly from forms becomes
> possible.
> 
> Since just reproducing existing encodings in JSON syntax would bring
> relatively little value to the table, the JSON encoding makes it
> possible to generate structured JSON from forms based on simple
> conventions for the name attribute.
> 
> You can read it here:
> 
>     http://darobin.github.io/formic/specs/json/
> 
> If the group agrees, I'd like to see this taken up as a deliverable.
> 
> Enjoy!

Received on Wednesday, 26 February 2014 08:39:58 UTC