How about padding the remaining bytes forcefully with e.g. 0x20 if the WritableStream doesn't provide enough bytes to us?
Takeshi On Tue, Nov 18, 2014 at 7:01 PM, Anne van Kesteren <ann...@annevk.nl> wrote: > On Tue, Nov 18, 2014 at 10:34 AM, Domenic Denicola <d...@domenic.me> wrote: > > I still think we should just allow the developer full control over the > Content-Length header if they've taken full control over the contents of > the request body (by writing to its stream asynchronously and piecemeal). > It gives no more power than using CURL. (Except the usual issues of > ambient/cookie authority, but those seem orthogonal to Content-Length > mismatch.) > > Why? If a service behind a firewall is vulnerable to Content-Length > mismatches, you can now attack such a service by tricking a user > behind that firewall into visiting evil.com. > > > -- > https://annevankesteren.nl/ >