Endpoints that accept empty bodies also accept the empty bodies with Content-Type: application/json
, which seems suspect
#16393
Labels
Content-Type: application/json
, which seems suspect
#16393
This issue has been migrated from #16393.
e.g. Complement sends
POST /forget
without a JSON body, but it setsContent-Type: application/json
anyway. Synapse is happy with that, but arguably shouldn't be.(Ignore the fact that this request is meant to require a JSON body #16366 for now)
It seems like we should hold clients to a JSON-encoded body if they go so far as to set the content-type in the request.
As at Synapse v1.92.
As a soft proposal, we could add warnings when this is violated to start with so we can track down any clients that might be relying on this.
The text was updated successfully, but these errors were encountered: