- From: Adam Barth <w3c@adambarth.com>
- Date: Wed, 8 Apr 2009 21:23:11 -0700
- To: Bil Corry <bil@corry.biz>
- Cc: Thomas Roessler <tlr@w3.org>, Jonas Sicking <jonas@sicking.cc>, Ian Hickson <ian@hixie.ch>, Anne van Kesteren <annevk@opera.com>, public-webapps@w3.org, Maciej Stachowiak <mjs@apple.com>, Sam Weinig <weinig@apple.com>, Sid Stamm <sstamm@mozilla.com>, Brandon Sterne <bsterne@mozilla.com>
On Wed, Apr 8, 2009 at 1:32 PM, Bil Corry <bil@corry.biz> wrote: > BTW, one reason to do this is to help deter timing attacks. Any request that arrives for the login page or a protected page that isn't same-origin can be redirected to a common landing page. This doesn't make much sense. People mount timing attacks against the login from from their own machine (where they can send whatever headers they like). Adam
Received on Thursday, 9 April 2009 04:24:03 UTC