W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Spoofing the Access-Control-Origin in existing browsers

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 25 Feb 2008 11:15:32 +0100
To: "Collin Jackson" <collinj@cs.stanford.edu>, "Adam Barth" <abarth@cs.stanford.edu>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <op.t62r36fr64w2qv@annevk-t60.oslo.opera.com> 

On Mon, 25 Feb 2008 10:59:15 +0100, Collin Jackson  
<collinj@cs.stanford.edu> wrote:
> For public web servers, a practical way to defend against these
> attacks is to check the request's Host header as well as the
> Access-Control-Origin header. If the Host header doesn't match the
> server's host name, the server should ignore the Access-Control-Origin
> header and refuse the request. The specification should recommend this
> defense in Section 3 (Security Considerations).

Thanks, I've added this. I gave credit to you and Adam Barth. Hope that's  
ok.

   http://dev.w3.org/2006/waf/access-control/#security


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Monday, 25 February 2008 10:11:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 25 February 2008 10:11:01 GMT