- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 19 Feb 2008 16:44:54 +0100
- To: "mike amundsen" <mca@amundsen.com>, "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WAF WG (public)" <public-appformats@w3.org>
On Tue, 19 Feb 2008 16:31:53 +0100, mike amundsen <mca@amundsen.com> wrote: > Well, how is this handled today for XmlHttpRequest? I'm not advocating > for *removing* HTTP Header restrictions from XmlHttpRequest WRT CSR. I > am however unable to see of CSR makes it important to *add* to any > existing HTTP Header restrictions for CSR-related XmlHttpRequest. Can you please stop the flood of messages? Thanks. You're asking the same question twenty times and it's starting to annoy me, especially since you forget to read the arguments and are apparently forgetting that XMLHttpRequest _today_ does not allow cross-site requests at all. That's why we're here. > We can all come up with potentially harmful uses of XmlHttpRequests > against a server. Web servers currently have a lot more to fear than > scripting of XmlHttpRequest requests [grin]! > > I can see where adding CSR support to XmlHttpRequest can possible make > it *easier* to create harmful requests. I can see where adding CSR > support can increase the *number* of these harmful requests. But I > haven't found an example of how CSR can create any *new* harmful > requests. I have given an example on this mailing list already. Study it. Also, what Jonas said is true. That you can't think of any risks or that we as a whole can't think of any risks doesn't mean that there are no risks. Introducing new attack vectors is absolutely *not* what we want to do here. So please stop the flooding with useless advocacy. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 19 February 2008 15:40:43 UTC