- From: Maciej Stachowiak <mjs@apple.com>
- Date: Thu, 03 Dec 2009 12:24:11 -0800
- To: Tyler Close <tyler.close@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, "Martin J. Dürst" <duerst@it.aoyama.ac.jp>, Julian Reschke <julian.reschke@gmx.de>, public-web-security@w3.org
On Dec 3, 2009, at 12:10 PM, Tyler Close wrote: > On Thu, Dec 3, 2009 at 10:37 AM, Maciej Stachowiak <mjs@apple.com> > wrote: >> Do you see an actual flaw in my reasoning as applied to the command- >> line >> tool in question? > > Sending a POST request with Content-Type application/xml using a > webbot is a likely thing to do and the redirect attack would not be > prevented by either of the mitigations you listed. How does that affect my original point 1? To recap, my point 1 was that if you send no credentials, only resources behind firewalls face potential vulnerability from redirects. This is so because such a request could be sent by the potential attacker directly, without involving a redirect. I believe this remains the case even if you send a POST request with Content-Type application/xml. Regards, Maciej
Received on Thursday, 3 December 2009 20:24:45 UTC