- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 16 Mar 2009 17:25:48 +0100
- To: "Alexey Proskuryakov" <ap@webkit.org>
- Cc: public-webapps <public-webapps@w3.org>
On Mon, 16 Mar 2009 12:29:34 +0100, Alexey Proskuryakov <ap@webkit.org> wrote: > The difference is that when one does <form enctype="TEXT/Plain">, the > MIME type on the wire is "text/plain", but with setRequestHeader, it's > "TEXT/Plain". So, server-side code that does case-sensitive comparisons > (something like if (contentType == "text/plain") ... else if > (contentType == "multipart/form-data") else <assume application/x- > www-form-urlencoded>) can be fooled. I'm not saying that this is a > particularly likely a bug for servers to have, but it's also extremely > easy to protect from in CORS. If we want to do normalization of media types it seems better to do that in XMLHttpRequest, no? -- Anne van Kesteren http://annevankesteren.nl/
Received on Monday, 16 March 2009 16:26:39 UTC