- From: Ian Hickson <ian@hixie.ch>
- Date: Wed, 13 Feb 2008 07:23:57 +0000 (UTC)
- To: John Panzer <jpanzer@acm.org>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 12 Feb 2008, John Panzer wrote: > > > > (Though they might need to use different headers, of course -- we > > obviously can't allow scripts doing cross-origin requests to > > arbitrarily change HTTP authenticiation headers.) > > Sorry, it's not obvious to me. We're talking about a situation where > the server has explicitly opted in to CSRs. I can understand not > sending authorization data from the browser itself by default, maybe, > but to block scripts from setting a header seems unnecessary and will > just lead to X-Authorization:. There's no way we can allow a distributed authorisation credentials attack on systems using username/password authentication or cookie authentication mechanisms. The browser vendors just wouldn't let implement anything that allowed that. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Wednesday, 13 February 2008 07:24:39 UTC