Re: [cors] Review

Anne van Kesteren Wed, 17 Jun 2009 00:16:01 -0700

On Wed, 17 Jun 2009 07:41:42 +0200, Tyler Close <[email protected]> wrote:
> One solution is:
>
> 1. Don't add any client credentials to requests.
> 2. Allow the script to use whatever HTTP method, headers and request
> entity it wants, restricting use of some headers, such as Referer.
>
> This leaves resources relying solely on a firewall for authentication
> vulnerable.


It also leaves sites vulnerable that do IP-based authentication.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Re: [cors] Review

Reply via email to