W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: [XHR2] Feedback on sec-* headers

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 24 Feb 2011 15:00:56 +0100
To: "Richard L. Barnes" <rbarnes@bbn.com>
Cc: public-webapps@w3.org
Message-ID: <op.vreujtit64w2qv@anne-van-kesterens-macbook-pro.local>
On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <rbarnes@bbn.com>  
> On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote:
>> Would this not mean that for each new header introduced servers would  
>> have to check an "XHR2-secure" header in addition to it to make sure it  
>> is not being spoofed? That kind of complexity seems like something we  
>> should avoid.
> Even with the Sec-*, you need to check any new headers belong to that  
> namespace or the fixed enumeration.  So it's just a question of how you  
> check, set containment vs. prefix match.  I'll admit that checking  
> membership in a set is slightly more complex than a memcmp, but the  
> difference doesn't seem all that significant.

With Sec-* only the client needs to be aware of the tricks. The server can  
simply trust the values because it can never get spoofed secure headers  
 from compliant clients.

Anne van Kesteren
Received on Thursday, 24 February 2011 14:01:48 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 20 October 2015 13:55:39 UTC