W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2011

Re: [XHR2] Feedback on sec-* headers

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 24 Feb 2011 15:31:52 +0100
Message-ID: <4D666BD8.9080203@gmx.de>
To: Anne van Kesteren <annevk@opera.com>
CC: "Richard L. Barnes" <rbarnes@bbn.com>, public-webapps@w3.org
On 24.02.2011 15:00, Anne van Kesteren wrote:
> On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <rbarnes@bbn.com>
> wrote:
>> On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote:
>>> Would this not mean that for each new header introduced servers would
>>> have to check an "XHR2-secure" header in addition to it to make sure
>>> it is not being spoofed? That kind of complexity seems like something
>>> we should avoid.
>>
>> Even with the Sec-*, you need to check any new headers belong to that
>> namespace or the fixed enumeration. So it's just a question of how you
>> check, set containment vs. prefix match. I'll admit that checking
>> membership in a set is slightly more complex than a memcmp, but the
>> difference doesn't seem all that significant.
>
> With Sec-* only the client needs to be aware of the tricks. The server
> can simply trust the values because it can never get spoofed secure
> headers from compliant clients.

As long as the server relies on the request being sent by 
XmlHttpRequest, right? Use a different type of client, and the header 
fields could be sent...

BR, Julian
Received on Thursday, 24 February 2011 14:32:39 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:43 GMT