On Mon, 16 Mar 2009 12:29:34 +0100, Alexey Proskuryakov <a...@webkit.org>
wrote:
The difference is that when one does <form enctype="TEXT/Plain">, the
MIME type on the wire is "text/plain", but with setRequestHeader, it's
"TEXT/Plain". So, server-side code that does case-sensitive comparisons
(something like if (contentType == "text/plain") ... else if
(contentType == "multipart/form-data") else <assume application/x-
www-form-urlencoded>) can be fooled. I'm not saying that this is a
particularly likely a bug for servers to have, but it's also extremely
easy to protect from in CORS.
If we want to do normalization of media types it seems better to do that
in XMLHttpRequest, no?
--
Anne van Kesteren
http://annevankesteren.nl/
