W3C home > Mailing lists > Public > public-webapi@w3.org > February 2008

Re: Security-sensitive headers

From: Collin Jackson <collinj@cs.stanford.edu>
Date: Sat, 23 Feb 2008 00:27:36 -0800
Message-ID: <986207e70802230027n51ab4197m6fe9f6fb41f67ba2@mail.gmail.com>
To: "Anne van Kesteren" <annevk@opera.com>
Cc: public-webapi@w3.org, "Adam Barth" <abarth@cs.stanford.edu>

On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
> > specification we'd have to chose a header name that starts with
>  > "Proxy-". There have been many other proposals for new
>  > security-related HTTP headers (e.g. content restrictions) so it would
>  > be nice to solve this issue in general.
>
>  Comments like this do encourage me to introduce "Sec-" so we don't get a
>  whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist
>  everything "Proxy-" yet.)

Please make sure to block setting the "Access-Control-Origin" header,
or rename it to have a restricted prefix.

If a page could use XMLHttpRequest to spoof this header for
same-origin requests, it could use DNS rebinding to spoof this header
in a request to an IP address of the attacker's choosing. If the
target server was validating the Access-Control-Origin header but not
the Host header, the server would think the request came from the
wrong origin.

-- Collin Jackson
Received on Saturday, 23 February 2008 08:28:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Saturday, 23 February 2008 08:28:02 GMT