Re: Security-sensitive headers

Collin Jackson wrote:
> On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <annevk@opera.com> wrote:
>>> specification we'd have to chose a header name that starts with
>>  > "Proxy-". There have been many other proposals for new
>>  > security-related HTTP headers (e.g. content restrictions) so it would
>>  > be nice to solve this issue in general.
>>
>>  Comments like this do encourage me to introduce "Sec-" so we don't get a
>>  whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist
>>  everything "Proxy-" yet.)
> 
> Please make sure to block setting the "Access-Control-Origin" header,
> or rename it to have a restricted prefix.
> 
> If a page could use XMLHttpRequest to spoof this header for
> same-origin requests, it could use DNS rebinding to spoof this header
> in a request to an IP address of the attacker's choosing. If the
> target server was validating the Access-Control-Origin header but not
> the Host header, the server would think the request came from the
> wrong origin.

Currently released browsers are always going to be able to send this 
header. If that is a big security problem I suggest you bring that up on 
the WAF mailing list and detail your concern.

/ Jonas

Received on Monday, 25 February 2008 08:40:54 UTC