- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Thu, 30 Jun 2011 20:14:54 -0400
- To: www-style@w3.org
On 6/30/11 6:55 PM, Glenn Adams wrote: > if EvilCompany does not include an Origin header in its request EvilCompany doesn't get to generate its request. EvilCompany relies on requests the user's browser makes. > if BigCompany does not respond to fetches not containing an Origin, then > again EvilCompany can guess an origin that permits access, resulting in > a fetch; EvilCompany can't make direct requests to sites inside BigCompany's firewall. > EvilCompany does not need to use a UA, but can construct their own HTTP > client to accomplish this; No, see above. -Boris
Received on Friday, 1 July 2011 00:15:22 UTC