On Wed, 25 Jul 2007 15:52:06 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > The part I'm worried about is that the Authorization header will be > picked up by your (the authors) web sever. However Proxy-Authorization > will be picked up by the proxy. Using this you can potentially launch a > distributed brute-force password attack against a company proxy. This is > why I'm in general thinking that disallowing Proxy-* might be a good > idea. Ok, fair enough: http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8#setrequestheader Is that better? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>Received on Wednesday, 25 July 2007 14:30:34 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT