- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 25 Feb 2008 00:40:15 -0800
- To: Collin Jackson <collinj@cs.stanford.edu>
- Cc: Anne van Kesteren <annevk@opera.com>, public-webapi@w3.org, Adam Barth <abarth@cs.stanford.edu>
Collin Jackson wrote: > On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote: >>> specification we'd have to chose a header name that starts with >> > "Proxy-". There have been many other proposals for new >> > security-related HTTP headers (e.g. content restrictions) so it would >> > be nice to solve this issue in general. >> >> Comments like this do encourage me to introduce "Sec-" so we don't get a >> whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist >> everything "Proxy-" yet.) > > Please make sure to block setting the "Access-Control-Origin" header, > or rename it to have a restricted prefix. > > If a page could use XMLHttpRequest to spoof this header for > same-origin requests, it could use DNS rebinding to spoof this header > in a request to an IP address of the attacker's choosing. If the > target server was validating the Access-Control-Origin header but not > the Host header, the server would think the request came from the > wrong origin. Currently released browsers are always going to be able to send this header. If that is a big security problem I suggest you bring that up on the WAF mailing list and detail your concern. / Jonas
Received on Monday, 25 February 2008 08:40:54 UTC