On Wed, 20 Feb 2008 07:07:33 +0100, Mark Baker <[EMAIL PROTECTED]> wrote:
On 2/19/08, Anne van Kesteren <[EMAIL PROTECTED]> wrote:
The issue is that cross-site requests that are possible today for GET do
not involve arbitrary headers made up by the author. Therefore servers
could be vulnerable to cross-site GET requests that do have arbitrary
headers set. This is a new attack vector and has nothing to do with the
same-origin blacklist.
Hmm, I'm really not getting this...
Can you describe one of these possible vulnerabilities for me please?
http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0191.html
And can you describe how it would only be triggered by a cross-site
request and not a regular old GET on the same URL?
Currently cross-site GET requests with arbitrary headers set are not
possible.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
