W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Henri Sivonen <hsivonen@iki.fi>
Date: Wed, 20 Feb 2008 21:16:39 +0200
Cc: Anne van Kesteren <annevk@opera.com>, mike amundsen <mamund@yahoo.com>, John Panzer <jpanzer@acm.org>, Jonas Sicking <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-Id: <ED5B6289-570B-483C-B620-90713F9A7679@iki.fi>
To: "Mark Baker" <distobj@acm.org> 

On Feb 20, 2008, at 20:42, Mark Baker wrote:

> It's not a new attack vector, because I can already use curl to send a
> GET message which causes the harm you're worried about.  AFAICT, all
> that changes in a cross-site scenario is that the attacker uses the
> client as an anonymizer, something that can already be done with open
> proxies (of various flavours).


What changes is that the browser in on the other side of the firewall  
unlike curl or an open proxy.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Wednesday, 20 February 2008 19:16:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 February 2008 19:16:57 GMT