- From: Anne van Kesteren <annevk@opera.com>
- Date: Thu, 24 Feb 2011 15:00:56 +0100
- To: "Richard L. Barnes" <rbarnes@bbn.com>
- Cc: public-webapps@w3.org
On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <rbarnes@bbn.com> wrote: > On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote: >> Would this not mean that for each new header introduced servers would >> have to check an "XHR2-secure" header in addition to it to make sure it >> is not being spoofed? That kind of complexity seems like something we >> should avoid. > > Even with the Sec-*, you need to check any new headers belong to that > namespace or the fixed enumeration. So it's just a question of how you > check, set containment vs. prefix match. I'll admit that checking > membership in a set is slightly more complex than a memcmp, but the > difference doesn't seem all that significant. With Sec-* only the client needs to be aware of the tricks. The server can simply trust the values because it can never get spoofed secure headers from compliant clients. -- Anne van Kesteren http://annevankesteren.nl/
Received on Thursday, 24 February 2011 14:01:48 UTC