W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2017

Re: Reports feature violates the same-origin policy

From: Frederik Braun <fbraun@mozilla.com>
Date: Wed, 15 Feb 2017 19:14:33 +0100
To: public-webappsec@w3.org
Message-ID: <9e419c3c-ae8a-bff8-bca8-302c92a38077@mozilla.com>
On 15.02.2017 19:01, Anne van Kesteren wrote:
> On Wed, Feb 15, 2017 at 6:22 PM, Daniel Veditz <dveditz@mozilla.com> wrote:
>> So we change the MIME type to text/plain (allowed) and the text happens to
>> be formatted as JSON. I don't see how that helps, but it would be
>> spec-compliant.
> 
> That means that a server that accepts JSON payloads and carefully
> checks the MIME type of the incoming request would not be vulnerable
> if this was used maliciously somehow.
> 
> 

That, or we add it to the MIME type list. Either way, the server has to
check it's JSON. Endpoints had to be careful with spoofed requests
already, except that we're adding the intranet now.
Received on Wednesday, 15 February 2017 18:15:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC