W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 15 Feb 2017 19:01:09 +0100
Message-ID: <CADnb78gYcO9wU4EHfORHkB94D-c3pz-FtQGShDeRLix2EHKwvg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 6:22 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> So we change the MIME type to text/plain (allowed) and the text happens to
> be formatted as JSON. I don't see how that helps, but it would be
> spec-compliant.

That means that a server that accepts JSON payloads and carefully
checks the MIME type of the incoming request would not be vulnerable
if this was used maliciously somehow.


-- 
https://annevankesteren.nl/
Received on Wednesday, 15 February 2017 18:01:38 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC