Specification should explicitely allow the validation of the Content-Type of incoming requests

[randomstuff]

The specification does not specify the Content-Type used for WebDriver requests. Even if the content of the request body is JSON, it appears to be valid (according to the specification) to send the request using Content-Type: application/x-www-form-urlencoded (for example).

Relevant snippets:

If request’s method is POST: Let parse result be the result of parsing as JSON with request’s body as the argument.

Where “parsing as JSON” is defined as:

The result of JSON deserialization with text is defined as the result of calling JSON.[Parse].

No mention that a suitable value for the Content-Type should be checked. This is only mandated for responses. This appears to be an involuntary omission in the specification.

Enforcing the value of the request Content-Type header is a simple way to prevent CSRF attacks against the WebDriver service. However, it has been argued that this is a violation of the specification.

Would it be possible to at least suggest the usage of a suitable of application/json for requests and allow the servers to enforce this?

For reference, Geckodriver now rejects application/x-www-form-urlencoded, multipart/form-data and text/plain as a CSRF mitigation.

[whimboo]

@AutomatedTester can you please have a look? Thanks.