On Wed, 30 Jan 2008 22:40:13 +0100, Thomas Roessler <[EMAIL PROTECTED]> wrote:
Here's a suggestion:
The solution should not introduce additional attack vectors
against services that are protected only by way of firewalls. This
requirement ddresses "intranet" style services authorize any
requests that can be sent to the service.
Note that this requirement does not preclude HEAD, OPTIONS, or GET
requests (even with ambient authentication and session
information).
I would suggest to refrain from any further discussion of what is or
is not possible.
Fixed thanks. (Though please check.)
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
