- From: Anne van Kesteren <annevk@opera.com>
- Date: Mon, 29 Sep 2008 07:58:17 +0200
On Mon, 29 Sep 2008 13:41:59 +0200, Michal Zalewski <lcamtuf at dione.cc> wrote: > Note that the current implementation proposals for "Origin" headers > (which I believe are limited to non-GET, non-HEAD requests) would not > prevent this attack, nor some other potential attack vectors; they would > probably need to be modified to include "Origin" header on SRC= GET > requests on IFRAME / EMBED / OBJECT / APPLET. A cross-site XMLHttpRequest request would always include Origin. I haven't really seen other specifications start using it yet, but I believe there are some experimental implementations for including it in cross-site <form> POST requests. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Sunday, 28 September 2008 22:58:17 UTC