Re: IE Team's Proposal for Cross Site Requests

Sunava Dutta wrote:
> Maciej Stachowiak [mjs@apple.com] said:
> <<But not exactly identical, since forms can't be used to POST XML content with a proper MIME type cross-domain.>>
>
> You're right-- setting an arbitrary request content-type is a capability not present in HTML forms today.  While we believe that this is a minimal increase in attack surface, we agree that it's worth considering whether or not such capability should be removed.
>
> If removed, all XDR POST requests could be sent with:
>
>                 Content-Type: text/plain; charset=UTF-8
>
> Servers would then be flexible in interpreting the data in the higher-level format they expect (JSON, XML, etc).
>   
This assumes that the server can know a priori what type they expect.  
This isn't necessarily the case for e.g., AtomPub servers.  Or are they 
supposed to guess the content type from the content body?  That's surely 
a recipe for security disasters down the road...

Received on Tuesday, 18 March 2008 04:14:51 UTC