- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 05 Nov 2007 06:13:01 -0500
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "Thomas Roessler" <tlr@w3.org>, "WAF WG (public)" <public-appformats@w3.org>
On Mon, 05 Nov 2007 03:25:39 -0500, Jonas Sicking <jonas@sicking.cc> wrote: > I have heard arguments that the site might not want to broadcast who it > is authorizing. However this could effectively be figured out still by > simply brute-force testing all interesting servers and methods directly > from an evil server to the target server. No browser involved, simply > send HTTP requests containing Referer-Root and Method-Check headers. This wouldn't work if you had to authorize (either through cookies or HTTP authentication) before getting to the actual document. > Another thing that occurred to me is does HTTP caches take the full set > of request headers into account when caching? Otherwise it could be > directly harmful to include Referer-Root and Method-Check headers. The > cache might store an "authorize" reply when the request is made for > Referer-Root A and wrongly respond with the same document is checked for > Referer-Root B. The authentication request cache is a seperate thing that uses the Referer-Root and request URI as "primary key". Or do you mean something else? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Monday, 5 November 2007 11:13:31 UTC