- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 15 Feb 2017 16:51:15 +0100
- To: WebAppSec WG <public-webappsec@w3.org>
Reports go across origins and don't follow the MIME type safelist from CORS/HTML forms. It seems problematic that we keep breaking our own rules with regards to the same-origin policy, especially as it doesn't seem to happen on purpose. Note that simply adding these MIME types to the safelist would not be great either, as the servers that are currently "guaranteed" to get JSON (depends a little bit on whether tokens are used or whether it's an intranet as I believe credentials are not included in these reports), might then be able to get more carefully crafted attack payloads. -- https://annevankesteren.nl/
Received on Wednesday, 15 February 2017 15:51:46 UTC