Re: [AC] URI canonicalization problem with Access-Control-Policy-Path

On Thu, 22 May 2008 11:29:51 +0200, Ian Hickson <> wrote:
> I'd vote for keeping it, with big warnings giving examples of how it can
> go wrong if used on IIS servers, and with warnings to avoid using it with
> mod_rewrite rules that map things out of the scope of the policy path.
> If we start worrying about what happens with misconfigured servers, we're
> going to end up paralysed. What about a server that's misconfigured to
> delete its filesystem if you send it an OPTIONS request with a header it
> doesn't recognise?

Ok, Access-Control-Policy-Path stays in. (An additional requirement for  
this attack by the way is that the victim has a deal with the attacker or  
that the attacker managed to get hold of a site that has a deal with  
victim (in which case other bad stuff could happen as well).)

I used your example and that of Björn and added a pointer (within a big  
red warning) from the definition of Access-Control-Policy-Path to the  
security section where the situation is explained.

Anne van Kesteren

Received on Saturday, 24 May 2008 10:04:01 UTC