W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: Redirect and Origin

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 9 Jun 2009 14:52:23 -0700
Message-ID: <7789133a0906091452y41660dfdvf57d63aabf3faa8c@mail.gmail.com>
To: Tyler Close <tyler.close@gmail.com>
Cc: public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 2:20 PM, Tyler Close<tyler.close@gmail.com> wrote:
> I had thought CORS, by it's use of Origin, was meant to be a safe
> replacement for JSON-P.

Can you explain again how the attack works for Origin-header-for-CORS?
 Keep in mind that the response is delivered to the original
requester, who should be accurately identified by the Origin header
(even through redirects).

Adam
Received on Tuesday, 9 June 2009 21:53:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT