[whatwg/fetch] Make "Content-Type: application/json" a CORS safe header (#1333) from Peter Hoffmann on 2021-10-15 (public-webapps-github@w3.org from October 2021)

From: Peter Hoffmann <notifications@github.com>
Date: Fri, 15 Oct 2021 02:38:50 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1333@github.com>

I propose to add "application/json" to the list of values for the "Content-Type" header that are safe without preflight in CORS requests.

## Current State ##
On the one side browsers sends forms with "application/x-www-form-urlencoded" data in POST requests if not selecting "multipart/form-data" or "text/plain" of which the latter was just included in HTML5 ("for debugging purposes)". APIs can respond with JSON as well as formData, both parsing methods are in the fetch spec. Even though without statistics it seems that formData is the defacto standard for sending and JSON for receiving.

## JSON vs. formData encoding ##
FormData encoding is limited to the type `Dict[str, Union[str, List[str]]]` which is enough for bare HTML forms and hence the form element does not need to add another encoding. But modern user interfaces can and do show deeper nested structured data for editing and therefore need more complex transfer encoding.

## Effects ##
The workarounds I can think of are all far from ideal:
1. Ignoring the Content-Type in the receiving header or using e.g. the "text/plain" header
1. Continue using formData but send the actual data JSON encoded, stringified as an input value.
1. Add an OPTIONS-endpoint to every POST-endpoint or even a general OPTIONS-endpoint to your API
1. Only use JSON and an endpoint with preflight support for complex data and formData for the rest
These all lead to the conclusion that the level of complexity of the server increases not based on the security considerations one should make but on the complexity of the data you need to send.

## Consideration ##
Currently "application/json" is considered unsafe, so preflight is a kind of "security mechanism". One should not depend on this, but skipping the preflight could lead to APIs becoming CORS available without that intention. On the other hand, the current spec could be considered as an invitation to use JSON accepting APIs as CORS prevention.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1333

Received on Friday, 15 October 2021 09:39:02 UTC