- From: Mark Baker <distobj@acm.org>
- Date: Wed, 20 Feb 2008 01:07:33 -0500
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote: > The issue is that cross-site requests that are possible today for GET do > not involve arbitrary headers made up by the author. Therefore servers > could be vulnerable to cross-site GET requests that do have arbitrary > headers set. This is a new attack vector and has nothing to do with the > same-origin blacklist. Hmm, I'm really not getting this... Can you describe one of these possible vulnerabilities for me please? And can you describe how it would only be triggered by a cross-site request and not a regular old GET on the same URL? Thanks. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Wednesday, 20 February 2008 06:07:40 UTC