Re: [cors] Possible need for a "Destination" Header

On Mon, 16 Feb 2009 18:14:10 +0100, Mike Chack (mchack) <>  
> Unless I am missing something, there seems to be a security hole with
> the current proposal. If a site has been hacked then malicous code can
> send content to any site that abides by the access control policies.  It
> is up to the destination site to accept the request, and in the case of
> a nefarious destination, would most certainly do so. Wouldn't it also
> make sense to have some policy control from the origination site that
> would limit where requests could be made. This could be done in the form
> of a "Desitnation" Header that would give more control over where
> XmlHttp requests could be directed.

I'm not sure I follow. If a site has been hacked, why would it still  
control the "Destination" header? Note that if a site is hacked and wants  
to distribute data to it already has lots of ways to do  
that e.g. through <img src>, <form action>, <iframe src>, etc.

Anne van Kesteren

Received on Tuesday, 17 February 2009 11:23:28 UTC