On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote: > The issue is that cross-site requests that are possible today for GET do > not involve arbitrary headers made up by the author. Therefore servers > could be vulnerable to cross-site GET requests that do have arbitrary > headers set. This is a new attack vector and has nothing to do with the > same-origin blacklist. Hmm, I'm really not getting this... Can you describe one of these possible vulnerabilities for me please? And can you describe how it would only be triggered by a cross-site request and not a regular old GET on the same URL? Thanks. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.comReceived on Wednesday, 20 February 2008 06:07:40 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 February 2008 06:07:42 GMT