* Jonas Sicking wrote: >We most likely can consider the content-type header as *not* "custom". >I was one of the people way back when that pointed out that there's a >theoretical chance that allowing arbitrary content-type headers could >cause security issues. But it seems highly theoretical. > >I suspect that the mozilla security team would be fine with allowing >arbitrary content-types to be POSTed though. Worth asking. I can't >speak for other browser vendors of course.
I think the situation might well be worse now than it was when we first started discussing what is now "CORS". In any case, this would be an ex- periment that cannot easily be undone, browser vendors would not pay the bill if there are actually large scale security vulnerabilities opened up by such a change, and I do not really see notable benefits in con- ducting such an experiment. -- Björn Höhrmann · mailto:bjo...@hoehrmann.de · http://bjoern.hoehrmann.de D-10243 Berlin · PGP Pub. KeyID: 0xA4357E78 · http://www.bjoernsworld.de Available for hire in Berlin (early 2015) · http://www.websitedev.de/