W3C home > Mailing lists > Public > public-webapi@w3.org > February 2008

Re: Security-sensitive headers

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 25 Feb 2008 00:40:15 -0800
Message-ID: <47C27EEF.4050900@sicking.cc>
To: Collin Jackson <collinj@cs.stanford.edu>
Cc: Anne van Kesteren <annevk@opera.com>, public-webapi@w3.org, Adam Barth <abarth@cs.stanford.edu>

Collin Jackson wrote:
> On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
>>> specification we'd have to chose a header name that starts with
>>  > "Proxy-". There have been many other proposals for new
>>  > security-related HTTP headers (e.g. content restrictions) so it would
>>  > be nice to solve this issue in general.
>>
>>  Comments like this do encourage me to introduce "Sec-" so we don't get a
>>  whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist
>>  everything "Proxy-" yet.)
> 
> Please make sure to block setting the "Access-Control-Origin" header,
> or rename it to have a restricted prefix.
> 
> If a page could use XMLHttpRequest to spoof this header for
> same-origin requests, it could use DNS rebinding to spoof this header
> in a request to an IP address of the attacker's choosing. If the
> target server was validating the Access-Control-Origin header but not
> the Host header, the server would think the request came from the
> wrong origin.

Currently released browsers are always going to be able to send this 
header. If that is a big security problem I suggest you bring that up on 
the WAF mailing list and detail your concern.

/ Jonas
Received on Monday, 25 February 2008 08:40:54 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 25 February 2008 08:40:56 GMT