Sending login credentials as text/html content typ

2019-07-24 07:25发布

问题:

I am working with a REST service for login authentication which expects that I send credentials as text/html and does not work if I send them as application/x-www-form-urlencoded content type.

Is it less secure to send them as text/* (I assume it is)? How does application/* make it more secure?

RELATED: CAS REST authentication API accepts text/* but not application/* content type

回答1:

This might be a (weak) form of CSRF protection. Cross-domain calls from Javascript with application/x-www-form-urlencoded will make it to the server as is, so an attacker might be able to log a user in from the attacker's domain by sending AJAX requests. However, if only text/html is accepted, such a request triggers a preflight OPTIONS request first if cross-domain, and the browser will not send the actual data if the server doesn't explicitly allow it with CORS headers.

So the API requesting credentials as text/html is slightly more secure than application/x-www-form-urlencoded. Other then this, it does not have much effect on security.

(Only loosely related, but note that content type does have an important security effect in server responses though. JSON data does not have to be html encoded as JSON is just a data format, and the client Javascript application can and should decide how to render or encode downloaded data. However, if data is not encoded in JSON, any JSON data "page", ie. the resulting JSON string itself is vulnerable to XSS if sent as text/html, because the browser will just render it as html, running any Javascript inside. So JSON responses should always be application/json, in which case a browser would not run it as Javascript.)