Re: HTTPbis and the Same Origin Policy

On Mon, 30 Nov 2009, Tyler Close wrote:

>> An API such as libcurl (http://curl.haxx.se/libcurl/) doesn't contain any 
>> such restrictions, or does it?
>
> If you use libcurl to send a PUT request and the target resource responds 
> with a 307, which libcurl then automatically follows

libcurl only "automatically" follows that if the app told it to act like that. 
It follows no redirects by default. I know that's not the topic here but I 
thought I'd clarify.

> Consider a webbot that sends a PUT request to a resource on the open 
> Internet, which responds with a 307 to a resource behind the same firewall 
> as the webbot. The webbot has essentially punched a hole in the firewall.

If a server does that I would consider that server/page to be a security 
problem or flaw. Even evil guys can run webbots I believe.

-- 

  / daniel.haxx.se

Received on Monday, 30 November 2009 21:01:06 UTC