On Thu, Apr 11, 2013 at 6:05 PM, Jann Horn <[email protected]> wrote: > On Thu, Apr 11, 2013 at 05:01:57PM +0200, Jan Wrobel wrote: >> [...] > > CDNs could mitigate this by, instead of resetting connections with lots of > headers, > just reading all the cookies and throwing them into the bit bucket instead of > keeping > them in RAM, right? That way, there would still be the wasted bandwidth, but > combined with the Google approach, it should work fine, right? If the client > sends too > many headers, just ignore everything until you reach \n\n, then send back the > error > script?
In my view a cookie reseting script is rather a last resort defense, not a reliable mechanism to dependent upon. Sites that include resources from a CDN rarely serve main or iframed HTML documents from the CDN origin and this is required for the reseting script to work. If such script was returned when a browser is expecting script, img, css or other non-html sub-resource, it would not work. Jan _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
