Re: ISSUE 19: Requirements and Usage Scenarios document

On Tue, 15 Jan 2008 17:44:35 +0100, David Orchard <> wrote:
> If Cookies would be sent as part of more requests because of deployment
> of the Access Control spec, then isn't this spec opening a new attack
> vector? I understand your point that cookies are already sent under
> img, script and form, but this is something newer and in addition to
> those.

I think I disagree. The (type of) request is identical. Especially since  
it's about the request and not about the protocol that issues the request.

Anne van Kesteren

Received on Tuesday, 15 January 2008 20:06:39 UTC