- From: Mark Baker <distobj@acm.org>
- Date: Wed, 20 Feb 2008 14:49:43 -0500
- To: "Henri Sivonen" <hsivonen@iki.fi>
- Cc: "Anne van Kesteren" <annevk@opera.com>, "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On 2/20/08, Henri Sivonen <hsivonen@iki.fi> wrote: > On Feb 20, 2008, at 20:42, Mark Baker wrote: > > > It's not a new attack vector, because I can already use curl to send a > > GET message which causes the harm you're worried about. AFAICT, all > > that changes in a cross-site scenario is that the attacker uses the > > client as an anonymizer, something that can already be done with open > > proxies (of various flavours). > > > What changes is that the browser in on the other side of the firewall > unlike curl or an open proxy. Hmm, good point. Come to think of it, we've discussed this before. But in that case, the attack is upon firewalls, not broken servers. So it seems to me that we'd only need to prevent hop-by-hop headers from being set (by treating the Connection header as immutable), as that's the only way in HTTP 1.1 to address an intermediary. What do you think? Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
Received on Wednesday, 20 February 2008 19:49:59 UTC