Re: [cors] Review

On Wed, 17 Jun 2009 07:41:42 +0200, Tyler Close <tyler.close@gmail.com> wrote:
> One solution is:
>
> 1. Don't add any client credentials to requests.
> 2. Allow the script to use whatever HTTP method, headers and request
> entity it wants, restricting use of some headers, such as Referer.
>
> This leaves resources relying solely on a firewall for authentication
> vulnerable.

It also leaves sites vulnerable that do IP-based authentication.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Wednesday, 17 June 2009 07:15:54 UTC