On Sep 17, 1:12 am, Hans Granqvist <[email protected]> wrote: > seems to leave PUT requests with form-encoded name/value pairs in a > bad spot, not covered by the core spec (which only deals with POSTs), > nor covered by the body hash spec.
I will rephrase my initial question: Is it true that the base string for "application/x-www-form- urlencoded" PUT requests should not contain the parameters in the request body according to the 1.0 core specification? Section "9.1.1 Normalize Request Parameters" (http://oauth.net/core/ 1.0#anchor14) says: "Parameters in the HTTP POST request body (with a content-type of application/x-www-form-urlencoded)." If "HTTP POST request body" should be interpreted as "the request body if it is a POST request", "application/x-www-form-urlencoded" PUT requests are wide open for man-in-the-middle attacks. If it should be interpreted as "the request body of any kind of request", I'm fine with this and we could move along. In any case the wording is too ambiguous, leaving room for interpretation. I'd suggest that an amendment should be done to the specification. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
