- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 25 Jul 2007 16:30:22 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>, "Web APIs WG" <public-webapi@w3.org>
On Wed, 25 Jul 2007 15:52:06 +0200, Jonas Sicking <jonas@sicking.cc> wrote: > The part I'm worried about is that the Authorization header will be > picked up by your (the authors) web sever. However Proxy-Authorization > will be picked up by the proxy. Using this you can potentially launch a > distributed brute-force password attack against a company proxy. This is > why I'm in general thinking that disallowing Proxy-* might be a good > idea. Ok, fair enough: http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8#setrequestheader Is that better? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Wednesday, 25 July 2007 14:30:34 UTC