W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: CSR and Mozilla - Clarifying HTTP Header Filtering

From: Henri Sivonen <hsivonen@iki.fi>
Date: Wed, 20 Feb 2008 21:54:45 +0200
Cc: "Anne van Kesteren" <annevk@opera.com>, "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
Message-Id: <E0809C25-5F8B-4B14-8648-8A329B49B06F@iki.fi>
To: "Mark Baker" <distobj@acm.org> 

On Feb 20, 2008, at 21:49, Mark Baker wrote:

> On 2/20/08, Henri Sivonen <hsivonen@iki.fi> wrote:
>> What changes is that the browser in on the other side of the firewall
>> unlike curl or an open proxy.
>
> Hmm, good point.  Come to think of it, we've discussed this before.
> But in that case, the attack is upon firewalls, not broken servers.


No, in that case the attack scenario is upon a broken intranet server  
that the attacker couldn't reach from outside the firewall but can  
from a browser that runs inside the firewall but has loaded scripts  
from the outside.

-- 
Henri Sivonen
hsivonen@iki.fi
http://hsivonen.iki.fi/
Received on Wednesday, 20 February 2008 19:55:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 20 February 2008 19:55:06 GMT