Re: Accountability in AC4CSR

Ian Hickson wrote:
> On Mon, 11 Feb 2008, John Panzer wrote:
>   
>> My point here is just that there are existing mechanisms that are 
>> already deployed in the field to deal with these attacks.  And to plead, 
>> as a side note, not to block the use of such mechanisms for AC4CSR...
>>     
>
> I'm not sure we could block them if we tried. :-)
>
> (Though they might need to use different headers, of course -- we 
> obviously can't allow scripts doing cross-origin requests to arbitrarily 
> change HTTP authenticiation headers.)
>   
Sorry, it's not obvious to me.  We're talking about a situation where 
the server has explicitly opted in to CSRs.  I can understand not 
sending authorization data from the browser itself by default, maybe, 
but to block scripts from setting a header seems unnecessary and will 
just lead to X-Authorization:.

Received on Wednesday, 13 February 2008 06:35:33 UTC