- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 20 Feb 2008 11:04:05 +0100
- To: "Mark Baker" <distobj@acm.org>
- Cc: "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On Wed, 20 Feb 2008 07:07:33 +0100, Mark Baker <distobj@acm.org> wrote: > On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote: >> The issue is that cross-site requests that are possible today for GET do >> not involve arbitrary headers made up by the author. Therefore servers >> could be vulnerable to cross-site GET requests that do have arbitrary >> headers set. This is a new attack vector and has nothing to do with the >> same-origin blacklist. > > Hmm, I'm really not getting this... > > Can you describe one of these possible vulnerabilities for me please? http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0191.html > And can you describe how it would only be triggered by a cross-site > request and not a regular old GET on the same URL? Currently cross-site GET requests with arbitrary headers set are not possible. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 20 February 2008 09:59:50 UTC