- From: Mark Baker <distobj@acm.org>
- Date: Wed, 20 Feb 2008 09:15:39 -0500
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, public-appformats@w3.org
On 2/20/08, Anne van Kesteren <annevk@opera.com> wrote: > On Wed, 20 Feb 2008 07:07:33 +0100, Mark Baker <distobj@acm.org> wrote: > > On 2/19/08, Anne van Kesteren <annevk@opera.com> wrote: > >> The issue is that cross-site requests that are possible today for GET do > >> not involve arbitrary headers made up by the author. Therefore servers > >> could be vulnerable to cross-site GET requests that do have arbitrary > >> headers set. This is a new attack vector and has nothing to do with the > >> same-origin blacklist. > > > > Hmm, I'm really not getting this... > > > > Can you describe one of these possible vulnerabilities for me please? > > http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0191.html Google uses a header like that for GData, but it's only meaningful with POST requests, not GET requests; http://code.google.com/apis/gdata/basics.html Your premise seems to be that in the future, the community might rally around and widely deploy, brain-dead extensions which attempt to violate the fundamental semantics of HTTP, in this case the safety of GET messages. IMO, that's not a realistic concern. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Wednesday, 20 February 2008 14:16:00 UTC