On Mon, 25 Feb 2008 10:59:15 +0100, Collin Jackson <[EMAIL PROTECTED]> wrote:
For public web servers, a practical way to defend against these attacks is to check the request's Host header as well as the Access-Control-Origin header. If the Host header doesn't match the server's host name, the server should ignore the Access-Control-Origin header and refuse the request. The specification should recommend this defense in Section 3 (Security Considerations).
Thanks, I've added this. I gave credit to you and Adam Barth. Hope that's ok.
http://dev.w3.org/2006/waf/access-control/#security -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
