W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 15 Feb 2017 19:01:09 +0100
Message-ID: <CADnb78gYcO9wU4EHfORHkB94D-c3pz-FtQGShDeRLix2EHKwvg@mail.gmail.com>
To: Daniel Veditz <dveditz@mozilla.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Feb 15, 2017 at 6:22 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
> So we change the MIME type to text/plain (allowed) and the text happens to
> be formatted as JSON. I don't see how that helps, but it would be
> spec-compliant.

That means that a server that accepts JSON payloads and carefully
checks the MIME type of the incoming request would not be vulnerable
if this was used maliciously somehow.

Received on Wednesday, 15 February 2017 18:01:38 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:59 UTC