Re: Accountability in AC4CSR from John Panzer on 2008-02-13 (public-appformats@w3.org from February 2008)

From: John Panzer <jpanzer@acm.org>
Date: Tue, 12 Feb 2008 22:31:54 -0800
To: Ian Hickson <ian@hixie.ch>
CC: "WAF WG (public)" <public-appformats@w3.org>
Message-ID: <47B28EDA.7090301@acm.org>

Ian Hickson wrote:
> On Mon, 11 Feb 2008, John Panzer wrote:
>   
>> My point here is just that there are existing mechanisms that are 
>> already deployed in the field to deal with these attacks.  And to plead, 
>> as a side note, not to block the use of such mechanisms for AC4CSR...
>>     
>
> I'm not sure we could block them if we tried. :-)
>
> (Though they might need to use different headers, of course -- we 
> obviously can't allow scripts doing cross-origin requests to arbitrarily 
> change HTTP authenticiation headers.)
>   
Sorry, it's not obvious to me.  We're talking about a situation where 
the server has explicitly opted in to CSRs.  I can understand not 
sending authorization data from the browser itself by default, maybe, 
but to block scripts from setting a header seems unnecessary and will 
just lead to X-Authorization:.

Received on Wednesday, 13 February 2008 06:35:33 UTC