- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 15 Feb 2017 09:22:58 -0800
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: WebAppSec WG <public-webappsec@w3.org>
Received on Wednesday, 15 February 2017 17:23:52 UTC
So we change the MIME type to text/plain (allowed) and the text happens to be formatted as JSON. I don't see how that helps, but it would be spec-compliant. -Dan Veditz On Wed, Feb 15, 2017 at 7:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > Reports go across origins and don't follow the MIME type safelist from > CORS/HTML forms. It seems problematic that we keep breaking our own > rules with regards to the same-origin policy, especially as it doesn't > seem to happen on purpose. > > Note that simply adding these MIME types to the safelist would not be > great either, as the servers that are currently "guaranteed" to get > JSON (depends a little bit on whether tokens are used or whether it's > an intranet as I believe credentials are not included in these > reports), might then be able to get more carefully crafted attack > payloads. > > > -- > https://annevankesteren.nl/ > >
Received on Wednesday, 15 February 2017 17:23:52 UTC