On Thu, 22 May 2008 11:29:51 +0200, Ian Hickson <ian@hixie.ch> wrote: > I'd vote for keeping it, with big warnings giving examples of how it can > go wrong if used on IIS servers, and with warnings to avoid using it with > mod_rewrite rules that map things out of the scope of the policy path. > > If we start worrying about what happens with misconfigured servers, we're > going to end up paralysed. What about a server that's misconfigured to > delete its filesystem if you send it an OPTIONS request with a header it > doesn't recognise? Ok, Access-Control-Policy-Path stays in. (An additional requirement for this attack by the way is that the victim has a deal with the attacker or that the attacker managed to get hold of a site that has a deal with victim (in which case other bad stuff could happen as well).) I used your example and that of Björn and added a pointer (within a big red warning) from the definition of Access-Control-Policy-Path to the security section where the situation is explained. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Saturday, 24 May 2008 10:04:01 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 24 May 2008 10:04:02 GMT