W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Access Control for Cross-site Requests WD Published

From: John Panzer <jpanzer@acm.org>
Date: Mon, 18 Feb 2008 19:06:52 -0800
Message-ID: <47BA47CC.4050205@acm.org>
To: Jonas Sicking <jonas@sicking.cc>
CC: mike amundsen <mca@amundsen.com>, "WAF WG (public)" <public-appformats@w3.org> 

Jonas Sicking wrote:
>
> mike amundsen wrote:
>> I agree w/ Kris:
>>
>> Limiting HTTP headers is a real problem. I see no reason for this.
>> Certainly not for security reasons.
>
> How can you know that it is safe to send any header to any server? 
> Note that no access checks are done before sending GET requests, so 
> allowing any header there seems like it has great potential to have 
> undesired effects on servers.
>
Note that modifying operations (POST, DELETE, etc.) do have an access 
check performed before execution.  If nothing else is changed, could the 
spec be modified so that it allowed all headers for such operations?
Received on Tuesday, 19 February 2008 03:07:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 19 February 2008 03:07:11 GMT