- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Wed, 20 Feb 2008 21:16:39 +0200
- To: "Mark Baker" <distobj@acm.org>
- Cc: Anne van Kesteren <annevk@opera.com>, mike amundsen <mamund@yahoo.com>, John Panzer <jpanzer@acm.org>, Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Feb 20, 2008, at 20:42, Mark Baker wrote: > It's not a new attack vector, because I can already use curl to send a > GET message which causes the harm you're worried about. AFAICT, all > that changes in a cross-site scenario is that the attacker uses the > client as an anonymizer, something that can already be done with open > proxies (of various flavours). What changes is that the browser in on the other side of the firewall unlike curl or an open proxy. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Wednesday, 20 February 2008 19:16:55 UTC