W3C home > Mailing lists > Public > public-html@w3.org > March 2014

Re: Extension specification proposal: JSON form submission

From: Robin Berjon <robin@w3.org>
Date: Mon, 03 Mar 2014 14:51:26 +0100
Message-ID: <531488DE.10708@w3.org>
To: Manuel Strehl <svg@manuel-strehl.de>, public-html@w3.org
Hi Manuel,

On 26/02/2014 09:39 , Manuel Strehl wrote:
> a security question: should UAs guard against this?
>
> <input name="foo[0]" value="a">
> <input name="foo[9999999999]" value="b">

In fact you don't even need the first input there.

> sending a huge response containing mainly "null"s? It could provide a
> means of DDoS attacks via CSRF. Should the spec define a cut-off length,
> or should it be left to implementors?

Various options have been mentioned. One is to always use objects, such 
that your example would become:

{
   "0": "a"
, "9999999999": "b"
}

But I believe that defeats the point of the encoding which is to address 
JSON endpoints naturally.

Another was to prevent sparse arrays and simply make the result of the 
above ["a", "b"]. That's less of a problem, but I think it still fails 
to address legitimate uses of sparse arrays.

I think that the best option is to bring up the issue in the security 
considerations, and leave the cut-off length up to implementers.

-- 
Robin Berjon - http://berjon.com/ - @robinberjon
Received on Monday, 3 March 2014 13:51:36 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 10:16:38 UTC