On Sat, 13 Jun 2009 01:34:09 +0200, Mark S. Miller erig...@google.com wrote:
On Mon, Jun 8, 2009 at 2:44 PM, Anne van Kesteren ann...@opera.com
wrote:
I sort of like the idea of having a new (named) constructor or maybe
have the constructor take an argument to indicate credentials are
On Sat, 30 May 2009 09:26:40 +0200, Charles McCathieNevile cha...@opera.com
wrote:
On Wed, 22 Apr 2009 16:57:41 +0200, Anne van Kesteren ann...@opera.com
wrote:
I can see some value in this specification giving advice as to what the
names of the events should be and what order they should
On Fri, Jun 12, 2009 at 10:36 PM, Adam Barthw...@adambarth.com wrote:
Isn't your answer above only about client (user agent) behavior? I'd still
like understand what the recommended/expected difference in server behavior
should/might be depending of whether Origin is absent or null. Thanks.
On Tue, 02 Jun 2009 14:55:38 +0200, Mark Nottingham m...@mnot.net wrote:
One other thing - as I understand the current design, if a preflight
request is redirected, the redirect is required to have a Access-
Control-Allow-Origin header. This is implied in the client redirect
steps, but
Hey Mark,
Thanks a lot for you review, very much appreciated. It's somewhat unfortunate
that you raise these substantive issues at such a late stage given that we have
shipping implementations at this point. As such I'm not clear whether we can
still resolve those in a satisfactory way.
On
On Wed, 01 Apr 2009 12:11:35 +0200, Anne van Kesteren ann...@opera.com wrote:
On Wed, 01 Apr 2009 12:05:08 +0200, Alexey Proskuryakov a...@webkit.org
wrote:
As there seems to be no danger in allowing this header for same origin
requests, I'd suggest removing it from the list of forbidden
On Sat, Jun 13, 2009 at 5:39 AM, Tyler Closetyler.cl...@gmail.com wrote:
On Fri, Jun 12, 2009 at 10:36 PM, Adam Barthw...@adambarth.com wrote:
Suppose GuestXHR doesn't send an Origin header for any requests and a
server uses the algorithm in draft-abarth-origin to mitigate CSRF
attacks. Now,
On Sat, Jun 13, 2009 at 10:23 AM, Adam Barthw...@adambarth.com wrote:
On Sat, Jun 13, 2009 at 5:39 AM, Tyler Closetyler.cl...@gmail.com wrote:
On Fri, Jun 12, 2009 at 10:36 PM, Adam Barthw...@adambarth.com wrote:
Suppose GuestXHR doesn't send an Origin header for any requests and a
server uses
On Sat, Jun 13, 2009 at 12:20 PM, Tyler Closetyler.cl...@gmail.com wrote:
On Sat, Jun 13, 2009 at 10:23 AM, Adam Barthw...@adambarth.com wrote:
For example, GuestXHR could be used to mount a login CSRF attack.
Are you sure about that? Since the response won't carry the