Re: Spoofing the Access-Control-Origin in existing browsers from Anne van Kesteren on 2008-02-25 (public-appformats@w3.org from February 2008)

From: Anne van Kesteren <annevk@opera.com>
Date: Mon, 25 Feb 2008 11:15:32 +0100
To: "Collin Jackson" <collinj@cs.stanford.edu>, "Adam Barth" <abarth@cs.stanford.edu>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
Message-ID: <op.t62r36fr64w2qv@annevk-t60.oslo.opera.com>

On Mon, 25 Feb 2008 10:59:15 +0100, Collin Jackson  
<collinj@cs.stanford.edu> wrote:
> For public web servers, a practical way to defend against these
> attacks is to check the request's Host header as well as the
> Access-Control-Origin header. If the Host header doesn't match the
> server's host name, the server should ignore the Access-Control-Origin
> header and refuse the request. The specification should recommend this
> defense in Section 3 (Security Considerations).

Thanks, I've added this. I gave credit to you and Adam Barth. Hope that's  
ok.

   http://dev.w3.org/2006/waf/access-control/#security


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>

Received on Monday, 25 February 2008 10:11:01 UTC