14665 2011-11-01 21:29:52 +0000 Content-Type is not a simple header 2011-11-23 17:03:23 +0000 1 1 1 Unclassified WebAppsSec CORS unspecified PC All RESOLVED FIXED P2 normal --- 1 annevk annevk jonas mike public-webapps public-webappsec dave.null oldest_to_newest 59446 0 annevk 2011-11-01 21:29:52 +0000 Instead of treating Content-Type as a simple header it should be treated as a header that is checked irrespective of origin (whether set by author or UA). We should also look into unknown MIME type parameters. 59465 1 jonas 2011-11-02 01:29:48 +0000 I don't understand what this means. The Content-Type header is almost alway set for POST. Does this mean all POSTs should be preflighted? 59480 2 annevk 2011-11-02 12:54:52 +0000 It is about simple headers being only checked against headers set by authors, whereas Content-Type can also be set by the user agent (e.g. if you pass a File object to send()). 59499 3 jonas 2011-11-02 16:00:10 +0000 Ah, so you're saying we should always check it's value against the whitelist. Not just when it's set through setRequestHeader or some such? That I agree with. 60375 4 annevk 2011-11-23 12:22:38 +0000 Having looked at this some more I think actually that in XMLHttpRequest the send() algorithm should just add Content-Type to author request headers instead. send() is effectively doing a setRequestHeader() thing there. 60385 5 annevk 2011-11-23 17:03:23 +0000 I changed XMLHttpRequest as suggested: http://dev.w3.org/cvsweb/2006/webapi/XMLHttpRequest-2/Overview.src.html.diff?r1=1.204;r2=1.205;f=h I also clarified CORS that Content-Type is supposed to be listed by servers even though it is sometimes a simple header: http://dvcs.w3.org/hg/cors/rev/83bc552d856f I think this resolves http://www.w3.org/2011/webappsec/track/actions/11 although the wording of that action is somewhat unclear.