Re: Security-sensitive headers

On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
> > specification we'd have to chose a header name that starts with
>  > "Proxy-". There have been many other proposals for new
>  > security-related HTTP headers (e.g. content restrictions) so it would
>  > be nice to solve this issue in general.
>
>  Comments like this do encourage me to introduce "Sec-" so we don't get a
>  whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist
>  everything "Proxy-" yet.)

Please make sure to block setting the "Access-Control-Origin" header,
or rename it to have a restricted prefix.

If a page could use XMLHttpRequest to spoof this header for
same-origin requests, it could use DNS rebinding to spoof this header
in a request to an IP address of the attacker's choosing. If the
target server was validating the Access-Control-Origin header but not
the Host header, the server would think the request came from the
wrong origin.

-- Collin Jackson

Received on Saturday, 23 February 2008 08:28:01 UTC