W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: CORS performance

From: Bjoern Hoehrmann <derhoermi@gmx.net>
Date: Thu, 19 Feb 2015 22:59:25 +0100
To: Jonas Sicking <jonas@sicking.cc>
Cc: Dale Harvey <dale@arandomurl.com>, Brian Smith <brian@briansmith.org>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>, WebApps WG <public-webapps@w3.org>, Monsur Hossain <monsur@gmail.com>
Message-ID: <0kmcea1hplrlmbt3m7rkdct4h59952pl5o@hive.bjoern.hoehrmann.de>
* Jonas Sicking wrote:
>We most likely can consider the content-type header as *not* "custom".
>I was one of the people way back when that pointed out that there's a
>theoretical chance that allowing arbitrary content-type headers could
>cause security issues. But it seems highly theoretical.
>I suspect that the mozilla security team would be fine with allowing
>arbitrary content-types to be POSTed though. Worth asking. I can't
>speak for other browser vendors of course.

I think the situation might well be worse now than it was when we first
started discussing what is now "CORS". In any case, this would be an ex-
periment that cannot easily be undone, browser vendors would not pay the
bill if there are actually large scale security vulnerabilities opened
up by such a change, and I do not really see notable benefits in con-
ducting such an experiment.
Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de
 Available for hire in Berlin (early 2015)  · http://www.websitedev.de/ 
Received on Thursday, 19 February 2015 22:00:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:46 UTC