On Tue, 2011-08-02 at 16:46 +0200, Anne van Kesteren wrote:
> On Mon, 01 Aug 2011 16:09:17 +0200, Philippe De Ryck
> <[email protected]> wrote:
> > The CORS specification fails to protect legacy servers from POST
> > messages with arbitrary body formatting.
>
> You can create pretty much any arbitrary message body you want using
> application/x-www-form-urlencoded already by crafting smart names and
> values so the real importance is in not being able to set Content-Type.
> This is not a security problem as far as I can tell.
Using a form still results in the use of = and & in the body, even with crafted
names/values. Taking the ICS format as an example, this is very difficult to
encode in a normal form, but very easy with cross-origin XHR. This can leave
legacy servers open to a new attack vector.
BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
BEGIN:VEVENT
UID:[email protected]
DTSTAMP:19970714T170000Z
ORGANIZER;CN=John Doe:MAILTO:[email protected]
DTSTART:19970714T170000Z
DTEND:19970715T035959Z
SUMMARY:Bastille Day Party
END:VEVENT
END:VCALENDAR
--
Philippe De Ryck
K.U.Leuven, Dept. of Computer Science
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
