- From: Anne van Kesteren <annevk@opera.com>
- Date: Sat, 24 May 2008 12:03:24 +0200
- To: "Ian Hickson" <ian@hixie.ch>
- Cc: "Bjoern Hoehrmann" <derhoermi@gmx.net>, "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
On Thu, 22 May 2008 11:29:51 +0200, Ian Hickson <ian@hixie.ch> wrote: > I'd vote for keeping it, with big warnings giving examples of how it can > go wrong if used on IIS servers, and with warnings to avoid using it with > mod_rewrite rules that map things out of the scope of the policy path. > > If we start worrying about what happens with misconfigured servers, we're > going to end up paralysed. What about a server that's misconfigured to > delete its filesystem if you send it an OPTIONS request with a header it > doesn't recognise? Ok, Access-Control-Policy-Path stays in. (An additional requirement for this attack by the way is that the victim has a deal with the attacker or that the attacker managed to get hold of a site that has a deal with victim (in which case other bad stuff could happen as well).) I used your example and that of Björn and added a pointer (within a big red warning) from the definition of Access-Control-Policy-Path to the security section where the situation is explained. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Saturday, 24 May 2008 10:04:01 UTC