- From: mike amundsen <mca@amundsen.com>
- Date: Tue, 19 Feb 2008 10:31:53 -0500
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
Well, how is this handled today for XmlHttpRequest? I'm not advocating for *removing* HTTP Header restrictions from XmlHttpRequest WRT CSR. I am however unable to see of CSR makes it important to *add* to any existing HTTP Header restrictions for CSR-related XmlHttpRequest. We can all come up with potentially harmful uses of XmlHttpRequests against a server. Web servers currently have a lot more to fear than scripting of XmlHttpRequest requests [grin]! I can see where adding CSR support to XmlHttpRequest can possible make it *easier* to create harmful requests. I can see where adding CSR support can increase the *number* of these harmful requests. But I haven't found an example of how CSR can create any *new* harmful requests. MikeA On Feb 18, 2008 7:11 PM, Jonas Sicking <jonas@sicking.cc> wrote: > mike amundsen wrote: > > I agree w/ Kris: > > > > Limiting HTTP headers is a real problem. I see no reason for this. > > Certainly not for security reasons. > > How can you know that it is safe to send any header to any server? Note > that no access checks are done before sending GET requests, so allowing > any header there seems like it has great potential to have undesired > effects on servers. > > / Jonas > > -- mca http://amundsen.com/blog/
Received on Tuesday, 19 February 2008 15:32:06 UTC