- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 20 Feb 2008 09:17:32 -0800
- To: "WAF WG (public)" <public-appformats@w3.org>, "Close, Tyler J." <tyler.close@hp.com>
Sorry, that should say: *Wednesday* (Feb 20) 3pm Pacific, 6pm Eastern, 23:00 UTC Jonas Sicking wrote: > > Hi All, > > We didn't manage to finish the security review last week, so we're going > to continue tomorrow. The contact info is about the same as last week: > > * Tuesday 3pm Pacific, 6pm Eastern, 20:00 UTC > * Mozilla Building S - Central Area > * 650-903-0800 or 650-215-1282 x91 Conf# 217 (US/INTL) > * 1-800-707-2533 (pin 369) Conf# 217 (US) > > Background material here: > http://wiki.mozilla.org/User:Sicking/Cross_Site_XHR_Review > > There were two big issues that came up during the last review: > > Should we send cookies and auth headers for cross site requests: > For now we decided not to, but i'd like to bring this issue up in other > forums too, will do so here shortly. This issue will not be dealt with > tomorrow since it's simply to big to reach a conclusion. > > Could DNS rebind attacks be made worse through the access-control spec: > The attack that was brought up was an attacker able to redirect any > given request to his own site. He could then redirect the OPTIONS > request to his own site but let the POSTs requests go through to the > targeted site and cause harm. > However, this is already possible today. If an attacker can redirect a > single request he could just redirect a request for a script or html > resource which would include scripts that could perform same-site > XMLHttpRequests which would have the same effect. > > > Anyone is invited to call in or come by. > > Best Regards, > Jonas Sicking >
Received on Wednesday, 20 February 2008 17:17:18 UTC