- From: Philippe De Ryck <philippe.deryck@cs.kuleuven.be>
- Date: Tue, 14 Feb 2012 14:52:14 +0100
- To: public-webappsec@w3.org
On Mon, 2012-02-06 at 23:03 +0000, Hill, Brad wrote: > Following further consideration, I have updated my proposed security > considerations text for CORS around avoidance of confused deputy > vulnerabilities when using implicit credentials. > > The new text follows; comments, additions and improvements welcome. It is probably useful to add an additional security consideration stating how to securely deal with the "null" value in the Origin header. This can occur with CORS requests from sandboxed origins that have a unique origin as well as with redirected CORS requests ( https://www.w3.org/2011/webappsec/track/actions/46 ). Philippe -- Philippe De Ryck KULeuven Dept. of Computer Science Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
Received on Tuesday, 14 February 2012 13:53:10 UTC