- From: Robin Berjon <robin@w3.org>
- Date: Mon, 03 Mar 2014 14:51:26 +0100
- To: Manuel Strehl <svg@manuel-strehl.de>, public-html@w3.org
Hi Manuel,
On 26/02/2014 09:39 , Manuel Strehl wrote:
> a security question: should UAs guard against this?
>
> <input name="foo[0]" value="a">
> <input name="foo[9999999999]" value="b">
In fact you don't even need the first input there.
> sending a huge response containing mainly "null"s? It could provide a
> means of DDoS attacks via CSRF. Should the spec define a cut-off length,
> or should it be left to implementors?
Various options have been mentioned. One is to always use objects, such
that your example would become:
{
"0": "a"
, "9999999999": "b"
}
But I believe that defeats the point of the encoding which is to address
JSON endpoints naturally.
Another was to prevent sparse arrays and simply make the result of the
above ["a", "b"]. That's less of a problem, but I think it still fails
to address legitimate uses of sparse arrays.
I think that the best option is to bring up the issue in the security
considerations, and leave the cut-off length up to implementers.
--
Robin Berjon - http://berjon.com/ - @robinberjon
Received on Monday, 3 March 2014 13:51:36 UTC