Re: =[xhr]

On Tue, Nov 18, 2014 at 10:34 AM, Domenic Denicola <d@domenic.me> wrote:
> I still think we should just allow the developer full control over the Content-Length header if they've taken full control over the contents of the request body (by writing to its stream asynchronously and piecemeal). It gives no more power than using CURL. (Except the usual issues of ambient/cookie authority, but those seem orthogonal to Content-Length mismatch.)

Why? If a service behind a firewall is vulnerable to Content-Length
mismatches, you can now attack such a service by tricking a user
behind that firewall into visiting evil.com.


-- 
https://annevankesteren.nl/

Received on Tuesday, 18 November 2014 10:02:21 UTC