On Tue, Nov 18, 2014 at 10:34 AM, Domenic Denicola <d...@domenic.me> wrote: > I still think we should just allow the developer full control over the > Content-Length header if they've taken full control over the contents of the > request body (by writing to its stream asynchronously and piecemeal). It > gives no more power than using CURL. (Except the usual issues of > ambient/cookie authority, but those seem orthogonal to Content-Length > mismatch.)
Why? If a service behind a firewall is vulnerable to Content-Length mismatches, you can now attack such a service by tricking a user behind that firewall into visiting evil.com. -- https://annevankesteren.nl/