On Wed, Apr 18, 2012 at 3:50 PM, Luke Plant <[email protected]> wrote: > One query: are you sure it is harder to manipulate? In particular, I > remember from a while back that Flash allowed some headers to be > manipulated, which caused problems, and they fixed it by blacklisting > some headers, I think including referer. Did they also fix Origin?
In very old browsers and very old versions of flash*, the origin header isn't on the blacklist. This is why I propose to only use it as a negative signal (if present, and does not match, fail) rather than also as a positive signal. In a year or two (maybe 2014 when IE6 is finally, truly, laid to rest), we can revisit the idea of using it as a positive signal. -Paul * It has been patched in version 7 and onward. If you are running unpatched flash, you probably have so many viruses it doesn't matter... http://helpx.adobe.com/flash-player/kb/actionscript-error-send-action-contains.html -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
