Thomas Roessler wrote:
On 2008-03-17 14:29:54 -0700, Sunava Dutta wrote:
If removed, all XDR POST requests could be sent with:
Content-Type: text/plain; charset=UTF-8
Servers would then be flexible in interpreting the data in the
higher-level format they expect (JSON, XML, etc).
Why text/plain, as opposed to, say,
application/x-www-form-urlencoded?
Or even some other content type? I'm worried that you're suggesting
some pretty intrusive profiling of HTTP here, effectively
*requiring* content sniffing to deal with any kind of form content.
That creates its own bit of complexity and possibilities for
insecurities down the road.
I'd rather we deal with the added attack surface due to being able
to POST properly labelled XML content than introducing another
divergence into how HTTP headers are interpreted by Web
applications.
+1.
Removing the ability to properly specify the content type is a bug, not
a feature.
(BTW: the same applies to other kinds of profiling, such as by HTTP
method name)
BR, Julian
