Description
The specification does not specify the Content-Type used for WebDriver requests. Even if the content of the request body is JSON, it appears to be valid (according to the specification) to send the request using Content-Type: application/x-www-form-urlencoded (for example).
Relevant snippets:
If request’s method is POST: Let parse result be the result of parsing as JSON with request’s body as the argument.
Where “parsing as JSON” is defined as:
The result of JSON deserialization with text is defined as the result of calling JSON.[Parse].
No mention that a suitable value for the Content-Type should be checked. This is only mandated for responses. This appears to be an involuntary omission in the specification.
Enforcing the value of the request Content-Type header is a simple way to prevent CSRF attacks against the WebDriver service. However, it has been argued that this is a violation of the specification.
Would it be possible to at least suggest the usage of a suitable of application/json for requests and allow the servers to enforce this?
For reference, Geckodriver now rejects application/x-www-form-urlencoded, multipart/form-data and text/plain as a CSRF mitigation.