W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2018

Re: Transfer-Encoding and XSS

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 4 Oct 2018 17:29:56 +0200
To: Eric Lawrence <Eric.Lawrence@microsoft.com>, Ricardo Iramar dos Santos <riramar@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <3c54b01d-252b-ecd5-972b-b3b3e83cd0db@gmx.de>
On 9/25/2018 4:42 PM, Eric Lawrence wrote:
> Anecdotally, I’ve never seen a browser itself specify a 
> Transfer-Encoding on a **request**.

What if the request body size is unknown beforehand?

> The use of Content-Encoding: gzip on certain uploads has been proposed 
> at various points (and possible via e.g. Flash, IIRC) but it suffers 
> from the general challenge that there’s no good way to understand 
> whether the server will accept such encoding (and protect itself from 
> Zip bombs attacks, etc).

-> <https://greenbytes.de/tech/webdav/rfc7694.html>

Best regards, Julian
Received on Thursday, 4 October 2018 15:30:25 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 4 October 2018 15:30:27 UTC