W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: [XHR2] Feedback on sec-* headers

From: Anne van Kesteren <annevk@opera.com>
Date: Thu, 24 Feb 2011 15:00:56 +0100
To: "Richard L. Barnes" <rbarnes@bbn.com>
Cc: public-webapps@w3.org
Message-ID: <op.vreujtit64w2qv@anne-van-kesterens-macbook-pro.local>
On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <rbarnes@bbn.com>  
wrote:
> On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote:
>> Would this not mean that for each new header introduced servers would  
>> have to check an "XHR2-secure" header in addition to it to make sure it  
>> is not being spoofed? That kind of complexity seems like something we  
>> should avoid.
>
> Even with the Sec-*, you need to check any new headers belong to that  
> namespace or the fixed enumeration.  So it's just a question of how you  
> check, set containment vs. prefix match.  I'll admit that checking  
> membership in a set is slightly more complex than a memcmp, but the  
> difference doesn't seem all that significant.

With Sec-* only the client needs to be aware of the tricks. The server can  
simply trust the values because it can never get spoofed secure headers  
 from compliant clients.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Thursday, 24 February 2011 14:01:48 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT