Laurens Holst schreef:
Or, if you really do not want to increase the attack surface, you should always send the content type application/x-www-form-urlencoded, and only allow request entities constructed through an API. Because servers only expect x-www-form-urlencoded and not text/plain, and servers might have parsing issues if the POST body is malformed, both leading to changes from what is currently possible with HTML and thus, security risks.
Sorry, apparantly this is a misconception of mine, using encoding="text/plain" you can apparantly already send arbitrary requests. So ignore this paragraph please :). The rest does still apply.
By the way, I do not see how requiring servers to ignore the request entity content type and forcing them to do content sniffing makes things more secure, instead of less.
~Grauw -- Ushiko-san! Kimi wa doushite, Ushiko-san nan da!! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Laurens Holst, student, university of Utrecht, the Netherlands. Website: www.grauw.nl. Backbase employee; www.backbase.com.
begin:vcard fn:Laurens Holst n:Holst;Laurens email;internet:[EMAIL PROTECTED] tel;cell:(+31) 06-41765048 version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
