-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Take a look at http://beefproject.com internals.
We're using that header. Actually it depends how do you use it. It's like crossdomain.xml: you can use a wildcard or not, it's up to you. Cheers antisnatchor David Blanc wrote: > Does 'Access-Control-Allow-Origin' header provide any benefits in > defending against cross site scripting attacks? > > Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw > trivially exploitable? For example, if an attacker finds an XSS flaw > in a web application, he can now inject a JavaScript with > XMLHttpRequest that sends a request to attacker's web server which > serves resources with the HTTP header "Access-Control-Allow-Origin: > *". The browser would see this header and fetch the resource from the > attacker's web server. > > Isn't the web a safer place without this header? > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPRUjKAAoJEBgl8Z+oSxe4Gn8H+wTu5HqCgm5md7jZOghFV0c0 TSgTakNd05x60raj1wNeCXjqE2mqHDvECjJIezlzlDgAx3q2TpagUlzR2iIICc6Y 25N9CCIkvb6WPqBl3Ee/NYkXPgKb6GDNGzdzNGZtrzZZrvOP3Dy6MCvw6RxwjcWo DtAzvHd4tAktRMfOpE61ICwyXOl5dCER4a/ai3DolN7O5xJvv0SsB3qgBF+4++pJ XhuQC9WA3j9994k9n9x4NGqJBZUE7vvfTIZR3T85BgcY8YiJgOHTmarMF7Fb6kHB mSLEVLWE1bY3aMKN7+SPjnkS7LZeCoMnhmXEQ2jcWCPUBQpv/hzjq6hgduOSoes= =xNpJ -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/