- From: Anne van Kesteren <annevk@opera.com>
- Date: Wed, 01 Jul 2009 11:34:05 +0200
- To: "Frederick Hirsch" <Frederick.Hirsch@nokia.com>
- Cc: "public-webapps WG" <public-webapps@w3.org>
I might not have time to address your larger set of questions before I leave on vacation tomorrow, but I thought I could at least answer this one. On Tue, 30 Jun 2009 17:38:20 +0200, Frederick Hirsch <Frederick.Hirsch@nokia.com> wrote: > One additional question regarding a cross-site get (using browser here > for simplicity of terms) (for example, see [1]) > > Is it true that > > 1. the GET results in the content being returned on the wire with a > Access-Control-Allow-Origin header > 2. the browser then checks this header and enforces policy > 3. if policy disallows then the browser does not allow the content to be > used. Yes, this is correct. > In any case, doesn't this open an attack to get the content by sniffing > the wire for the response content, regardless of the header? If that is a viable attack scenario such servers are already exposed due to e.g. cross-origin <img> or <iframe> loading which already works today. Or e.g. by simply setting window.location to the address from which you want to sniff the response. All the header is effectively protecting is exposing the "raw" contents of a cross-origin resource to script. > [1] http://arunranga.com/examples/access-control/SimpleXSInvocation.txt -- Anne van Kesteren http://annevankesteren.nl/
Received on Wednesday, 1 July 2009 09:34:50 UTC