- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Tue, 18 Nov 2014 11:01:54 +0100
- To: Domenic Denicola <d@domenic.me>
- Cc: Takeshi Yoshino <tyoshino@google.com>, Rui Prior <rprior@dcc.fc.up.pt>, "Web Applications Working Group WG (public-webapps@w3.org)" <public-webapps@w3.org>
On Tue, Nov 18, 2014 at 10:34 AM, Domenic Denicola <d@domenic.me> wrote: > I still think we should just allow the developer full control over the Content-Length header if they've taken full control over the contents of the request body (by writing to its stream asynchronously and piecemeal). It gives no more power than using CURL. (Except the usual issues of ambient/cookie authority, but those seem orthogonal to Content-Length mismatch.) Why? If a service behind a firewall is vulnerable to Content-Length mismatches, you can now attack such a service by tricking a user behind that firewall into visiting evil.com. -- https://annevankesteren.nl/
Received on Tuesday, 18 November 2014 10:02:21 UTC