W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Access Control for Cross-site Requests WD Published

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 18 Feb 2008 16:11:40 -0800
Message-ID: <47BA1EBC.7040600@sicking.cc>
To: mike amundsen <mca@amundsen.com>, "WAF WG (public)" <public-appformats@w3.org> 

mike amundsen wrote:
> I agree w/ Kris:
> 
> Limiting HTTP headers is a real problem. I see no reason for this.
> Certainly not for security reasons.

How can you know that it is safe to send any header to any server? Note 
that no access checks are done before sending GET requests, so allowing 
any header there seems like it has great potential to have undesired 
effects on servers.

/ Jonas
Received on Tuesday, 19 February 2008 00:12:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 00:12:15 GMT