- From: Henri Sivonen <hsivonen@iki.fi>
- Date: Wed, 20 Feb 2008 21:54:45 +0200
- To: "Mark Baker" <distobj@acm.org>
- Cc: "Anne van Kesteren" <annevk@opera.com>, "mike amundsen" <mamund@yahoo.com>, "John Panzer" <jpanzer@acm.org>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Feb 20, 2008, at 21:49, Mark Baker wrote: > On 2/20/08, Henri Sivonen <hsivonen@iki.fi> wrote: >> What changes is that the browser in on the other side of the firewall >> unlike curl or an open proxy. > > Hmm, good point. Come to think of it, we've discussed this before. > But in that case, the attack is upon firewalls, not broken servers. No, in that case the attack scenario is upon a broken intranet server that the attacker couldn't reach from outside the firewall but can from a browser that runs inside the firewall but has loaded scripts from the outside. -- Henri Sivonen hsivonen@iki.fi http://hsivonen.iki.fi/
Received on Wednesday, 20 February 2008 19:55:06 UTC