W3C home > Mailing lists > Public > public-webapi@w3.org > July 2007

Re: [xhr] proxy-connection header

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 25 Jul 2007 16:30:22 +0200
To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
Message-ID: <op.tv0ykwxt64w2qv@annevk-t60.oslo.opera.com>

On Wed, 25 Jul 2007 15:52:06 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> The part I'm worried about is that the Authorization header will be  
> picked up by your (the authors) web sever. However Proxy-Authorization  
> will be picked up by the proxy. Using this you can potentially launch a  
> distributed brute-force password attack against a company proxy. This is  
> why I'm in general thinking that disallowing Proxy-* might be a good  
> idea.

Ok, fair enough:  
http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8#setrequestheader

Is that better?


-- 
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
Received on Wednesday, 25 July 2007 14:30:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT