- From: Collin Jackson <collinj@cs.stanford.edu>
- Date: Sat, 23 Feb 2008 00:27:36 -0800
- To: "Anne van Kesteren" <annevk@opera.com>
- Cc: public-webapi@w3.org, "Adam Barth" <abarth@cs.stanford.edu>
On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote: > > specification we'd have to chose a header name that starts with > > "Proxy-". There have been many other proposals for new > > security-related HTTP headers (e.g. content restrictions) so it would > > be nice to solve this issue in general. > > Comments like this do encourage me to introduce "Sec-" so we don't get a > whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist > everything "Proxy-" yet.) Please make sure to block setting the "Access-Control-Origin" header, or rename it to have a restricted prefix. If a page could use XMLHttpRequest to spoof this header for same-origin requests, it could use DNS rebinding to spoof this header in a request to an IP address of the attacker's choosing. If the target server was validating the Access-Control-Origin header but not the Host header, the server would think the request came from the wrong origin. -- Collin Jackson
Received on Saturday, 23 February 2008 08:28:01 UTC