On 24.02.2011 15:00, Anne van Kesteren wrote:
On Thu, 24 Feb 2011 14:43:47 +0100, Richard L. Barnes <rbar...@bbn.com>
wrote:
On Feb 24, 2011, at 6:53 AM, Anne van Kesteren wrote:
Would this not mean that for each new header introduced servers would
have to check an "XHR2-secure" header in addition to it to make sure
it is not being spoofed? That kind of complexity seems like something
we should avoid.
Even with the Sec-*, you need to check any new headers belong to that
namespace or the fixed enumeration. So it's just a question of how you
check, set containment vs. prefix match. I'll admit that checking
membership in a set is slightly more complex than a memcmp, but the
difference doesn't seem all that significant.
With Sec-* only the client needs to be aware of the tricks. The server
can simply trust the values because it can never get spoofed secure
headers from compliant clients.
As long as the server relies on the request being sent by
XmlHttpRequest, right? Use a different type of client, and the header
fields could be sent...
BR, Julian
