On Wed, Apr 8, 2009 at 1:32 PM, Bil Corry <b...@corry.biz> wrote: > BTW, one reason to do this is to help deter timing attacks. Any request that > arrives for the login page or a protected page that isn't same-origin can be > redirected to a common landing page.
This doesn't make much sense. People mount timing attacks against the login from from their own machine (where they can send whatever headers they like). Adam
