On 24.02.2011 15:00, Anne van Kesteren wrote: > On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <rbarnes@bbn.com> > wrote: >> On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote: >>> Would this not mean that for each new header introduced servers would >>> have to check an "XHR2-secure" header in addition to it to make sure >>> it is not being spoofed? That kind of complexity seems like something >>> we should avoid. >> >> Even with the Sec-*, you need to check any new headers belong to that >> namespace or the fixed enumeration. So it's just a question of how you >> check, set containment vs. prefix match. I'll admit that checking >> membership in a set is slightly more complex than a memcmp, but the >> difference doesn't seem all that significant. > > With Sec-* only the client needs to be aware of the tricks. The server > can simply trust the values because it can never get spoofed secure > headers from compliant clients. As long as the server relies on the request being sent by XmlHttpRequest, right? Use a different type of client, and the header fields could be sent... BR, JulianReceived on Thursday, 24 February 2011 14:32:39 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:16 UTC