- From: Domenic Denicola <notifications@github.com>
- Date: Wed, 21 Nov 2018 07:02:11 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 21 November 2018 15:02:41 UTC
domenic commented on this pull request.
> @@ -471,6 +685,9 @@ each other by 0x2C 0x20, in order.
"<code>text/plain</code>", then return false.
</ol>
+ <p class=warning>This intentionally does not use <a>extract a MIME type</a> as that algorithm is
+ rather forgiving and servers are not expected to implement it.
So the mismatch scenario is: client uses the Headers class to add content-type: someHardToParseThingWhichTheyIntendToBeTextPlain, and does a fetch() post to the server, which uses a different parser and ends up with application/json?
If so, I'll note that's not really an attack (the client could just send application/json directly). So maybe this is more of a note than a warning. In either case, adding such an example would be helpful.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/831#discussion_r235421287
Received on Wednesday, 21 November 2018 15:02:41 UTC