- From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Date: Wed, 03 Aug 2011 11:03:50 +0200
- To: Anne van Kesteren <annevk@opera.com>
- Cc: public-webapps@w3.org, Giles Hogben <Giles.Hogben@enisa.europa.eu>, Lieven Desmet <Lieven.Desmet@cs.kuleuven.be>
On Tue, 2011-08-02 at 16:46 +0200, Anne van Kesteren wrote: > On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck > <philippe.deryck@cs.kuleuven.be> wrote: > > The CORS specification fails to protect legacy servers from POST > > messages with arbitrary body formatting. > > You can create pretty much any arbitrary message body you want using > application/x-www-form-urlencoded already by crafting smart names and > values so the real importance is in not being able to set Content-Type. > This is not a security problem as far as I can tell. Using a form still results in the use of = and & in the body, even with crafted names/values. Taking the ICS format as an example, this is very difficult to encode in a normal form, but very easy with cross-origin XHR. This can leave legacy servers open to a new attack vector. BEGIN:VCALENDAR VERSION:2.0 PRODID:-//hacksw/handcal//NONSGML v1.0//EN BEGIN:VEVENT UID:uid1@example.com DTSTAMP:19970714T170000Z ORGANIZER;CN=John Doe:MAILTO:john.doe@example.com DTSTART:19970714T170000Z DTEND:19970715T035959Z SUMMARY:Bastille Day Party END:VEVENT END:VCALENDAR -- Philippe De Ryck K.U.Leuven, Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Wednesday, 3 August 2011 09:20:43 UTC