W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 20 Feb 2008 11:04:05 +0100
To: "Mark Baker" <distobj@acm.org>
Cc: "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <op.t6th83af64w2qv@annevk-t60.oslo.opera.com> 

On Wed, 20 Feb 2008 07:07:33 +0100, Mark Baker <distobj@acm.org> wrote:
> On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote:
>> The issue is that cross-site requests that are possible today for GET do
>> not involve arbitrary headers made up by the author. Therefore servers
>> could be vulnerable to cross-site GET requests that do have arbitrary
>> headers set. This is a new attack vector and has nothing to do with the
>> same-origin blacklist.
>
> Hmm, I'm really not getting this...
>
> Can you describe one of these possible vulnerabilities for me please?

http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0191.html


> And can you describe how it would only be triggered by a cross-site
> request and not a regular old GET on the same URL?

Currently cross-site GET requests with arbitrary headers set are not  
possible.


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 20 February 2008 09:59:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 February 2008 09:59:51 GMT