Ian Hickson wrote: > On Mon, 11 Feb 2008, John Panzer wrote: > >> My point here is just that there are existing mechanisms that are >> already deployed in the field to deal with these attacks. And to plead, >> as a side note, not to block the use of such mechanisms for AC4CSR... >> > > I'm not sure we could block them if we tried. :-) > > (Though they might need to use different headers, of course -- we > obviously can't allow scripts doing cross-origin requests to arbitrarily > change HTTP authenticiation headers.) > Sorry, it's not obvious to me. We're talking about a situation where the server has explicitly opted in to CSRs. I can understand not sending authorization data from the browser itself by default, maybe, but to block scripts from setting a header seems unnecessary and will just lead to X-Authorization:.Received on Wednesday, 13 February 2008 06:35:33 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 13 February 2008 06:35:34 GMT