W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Review

From: Anne van Kesteren <annevk@opera.com>
Date: Wed, 17 Jun 2009 09:15:14 +0200
To: "Tyler Close" <tyler.close@gmail.com>, "Mark Nottingham" <mnot@mnot.net>
Cc: public-webapps@w3.org
Message-ID: <op.uvnqfom064w2qv@annevk-t60>
On Wed, 17 Jun 2009 07:41:42 +0200, Tyler Close <tyler.close@gmail.com> wrote:
> One solution is:
>
> 1. Don't add any client credentials to requests.
> 2. Allow the script to use whatever HTTP method, headers and request
> entity it wants, restricting use of some headers, such as Referer.
>
> This leaves resources relying solely on a firewall for authentication
> vulnerable.

It also leaves sites vulnerable that do IP-based authentication.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Wednesday, 17 June 2009 07:15:54 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:31 GMT