On Mon, 29 Sep 2008 13:41:59 +0200, Michal Zalewski <[EMAIL PROTECTED]>
wrote:
Note that the current implementation proposals for "Origin" headers
(which I believe are limited to non-GET, non-HEAD requests) would not
prevent this attack, nor some other potential attack vectors; they would
probably need to be modified to include "Origin" header on SRC= GET
requests on IFRAME / EMBED / OBJECT / APPLET.
A cross-site XMLHttpRequest request would always include Origin. I haven't
really seen other specifications start using it yet, but I believe there
are some experimental implementations for including it in cross-site
<form> POST requests.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
