- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 17 Jun 2009 09:15:14 +0200
- To: "Tyler Close" <tyler.close@gmail.com>, "Mark Nottingham" <mnot@mnot.net>
- Cc: public-webapps@w3.org
On Wed, 17 Jun 2009 07:41:42 +0200, Tyler Close <tyler.close@gmail.com> wrote: > One solution is: > > 1. Don't add any client credentials to requests. > 2. Allow the script to use whatever HTTP method, headers and request > entity it wants, restricting use of some headers, such as Referer. > > This leaves resources relying solely on a firewall for authentication > vulnerable. It also leaves sites vulnerable that do IP-based authentication. -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 17 June 2009 07:15:54 UTC