On 6/30/11 6:55 PM, Glenn Adams wrote: > if EvilCompany does not include an Origin header in its request EvilCompany doesn't get to generate its request. EvilCompany relies on requests the user's browser makes. > if BigCompany does not respond to fetches not containing an Origin, then > again EvilCompany can guess an origin that permits access, resulting in > a fetch; EvilCompany can't make direct requests to sites inside BigCompany's firewall. > EvilCompany does not need to use a UA, but can construct their own HTTP > client to accomplish this; No, see above. -BorisReceived on Friday, 1 July 2011 00:15:22 GMT
This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 17:20:42 GMT