- From: Jonas Sicking <jonas@sicking.cc>
- Date: Mon, 20 Oct 2008 17:48:07 +0200
- To: Charles McCathieNevile <chaals@opera.com>
- CC: WebApps WG <public-webapps@w3.org>
Charles McCathieNevile wrote: > > Hi folks, > > at > http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.24 > you will find a new draft of the progress events spec, for your > delectation... So the spec says that for HEAD requests the size should include the size of headers. I just realized that this might be a security issue. The headers can include the users password, many times in clear text. If a site knows the size of the default headers for a given implementation, it can figure out the size of the users password by subtracting the default size from the size reported from the 'load' event from a HEAD request. / Jonas
Received on Monday, 20 October 2008 15:50:07 UTC