- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 9 Jun 2009 14:52:23 -0700
- To: Tyler Close <tyler.close@gmail.com>
- Cc: public-webapps <public-webapps@w3.org>
On Tue, Jun 9, 2009 at 2:20 PM, Tyler Close<tyler.close@gmail.com> wrote: > I had thought CORS, by it's use of Origin, was meant to be a safe > replacement for JSON-P. Can you explain again how the attack works for Origin-header-for-CORS? Keep in mind that the response is delivered to the original requester, who should be accurately identified by the Origin header (even through redirects). Adam
Received on Tuesday, 9 June 2009 21:53:20 UTC