- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 19 Feb 2015 22:59:25 +0100
- To: Jonas Sicking <jonas@sicking.cc>
- Cc: Dale Harvey <dale@arandomurl.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>
* Jonas Sicking wrote: >We most likely can consider the content-type header as *not* "custom". >I was one of the people way back when that pointed out that there's a >theoretical chance that allowing arbitrary content-type headers could >cause security issues. But it seems highly theoretical. > >I suspect that the mozilla security team would be fine with allowing >arbitrary content-types to be POSTed though. Worth asking. I can't >speak for other browser vendors of course. I think the situation might well be worse now than it was when we first started discussing what is now "CORS". In any case, this would be an ex- periment that cannot easily be undone, browser vendors would not pay the bill if there are actually large scale security vulnerabilities opened up by such a change, and I do not really see notable benefits in con- ducting such an experiment. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/
Received on Thursday, 19 February 2015 22:00:10 UTC