Re: IE Team's Proposal for Cross Site Requests

Laurens Holst wrote:
> Laurens Holst schreef:
>> Or, if you really do not want to increase the attack surface, you 
>> should always send the content type application/x-www-form-urlencoded, 
>> and only allow request entities constructed through an API. Because 
>> servers only expect x-www-form-urlencoded and not text/plain, and 
>> servers might have parsing issues if the POST body is malformed, both 
>> leading to changes from what is currently possible with HTML and thus, 
>> security risks. 
> 
> Sorry, apparantly this is a misconception of mine, using 
> encoding="text/plain" you can apparantly already send arbitrary 
> requests. So ignore this paragraph please :). The rest does still apply.
> 
> By the way, I do not see how requiring servers to ignore the request 
> entity content type and forcing them to do content sniffing makes things 
> more secure, instead of less.

Though to be honest I would really like to figure out a way to disable 
cross-site POSTs even from forms. CSRF is a big problem with tons of 
sites vulnerable today.

So I'd really like to not perpetuate the model of allowing cross-site 
POSTs. An interesting first step in that direction would be to disallow 
cross-site text/plain posts since they are so rare that it'd likely not 
affect many sites.

/ Jonas

Received on Tuesday, 18 March 2008 17:46:46 UTC