On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <[email protected]>
wrote:
On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote:
Would this not mean that for each new header introduced servers would
have to check an "XHR2-secure" header in addition to it to make sure it
is not being spoofed? That kind of complexity seems like something we
should avoid.
Even with the Sec-*, you need to check any new headers belong to that
namespace or the fixed enumeration. So it's just a question of how you
check, set containment vs. prefix match. I'll admit that checking
membership in a set is slightly more complex than a memcmp, but the
difference doesn't seem all that significant.
With Sec-* only the client needs to be aware of the tricks. The server can
simply trust the values because it can never get spoofed secure headers
from compliant clients.
--
Anne van Kesteren
http://annevankesteren.nl/
