Collin Jackson wrote:
On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <[EMAIL PROTECTED]> wrote:
specification we'd have to chose a header name that starts with
> "Proxy-". There have been many other proposals for new
> security-related HTTP headers (e.g. content restrictions) so it would
> be nice to solve this issue in general.
Comments like this do encourage me to introduce "Sec-" so we don't get a
whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist
everything "Proxy-" yet.)
Please make sure to block setting the "Access-Control-Origin" header,
or rename it to have a restricted prefix.
If a page could use XMLHttpRequest to spoof this header for
same-origin requests, it could use DNS rebinding to spoof this header
in a request to an IP address of the attacker's choosing. If the
target server was validating the Access-Control-Origin header but not
the Host header, the server would think the request came from the
wrong origin.
Currently released browsers are always going to be able to send this
header. If that is a big security problem I suggest you bring that up on
the WAF mailing list and detail your concern.
/ Jonas
