I am sorry, I don't understand what you are trying to say here. Which question of mine did you answer?
BTW, I'm aware that whether we use a wildcard or not is up to us. On Thu, Feb 23, 2012 at 1:28 AM, Michele Orru <antisnatc...@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Take a look at http://beefproject.com internals. > > We're using that header. > > Actually it depends how do you use it. > It's like crossdomain.xml: you can use a wildcard or not, > it's up to you. > > Cheers > antisnatchor > > David Blanc wrote: >> Does 'Access-Control-Allow-Origin' header provide any benefits in >> defending against cross site scripting attacks? >> >> Doesn't 'Access-Control-Allow-Origin' header make any XSS flaw >> trivially exploitable? For example, if an attacker finds an XSS flaw >> in a web application, he can now inject a JavaScript with >> XMLHttpRequest that sends a request to attacker's web server which >> serves resources with the HTTP header "Access-Control-Allow-Origin: >> *". The browser would see this header and fetch the resource from the >> attacker's web server. >> >> Isn't the web a safer place without this header? >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJPRUjKAAoJEBgl8Z+oSxe4Gn8H+wTu5HqCgm5md7jZOghFV0c0 > TSgTakNd05x60raj1wNeCXjqE2mqHDvECjJIezlzlDgAx3q2TpagUlzR2iIICc6Y > 25N9CCIkvb6WPqBl3Ee/NYkXPgKb6GDNGzdzNGZtrzZZrvOP3Dy6MCvw6RxwjcWo > DtAzvHd4tAktRMfOpE61ICwyXOl5dCER4a/ai3DolN7O5xJvv0SsB3qgBF+4++pJ > XhuQC9WA3j9994k9n9x4NGqJBZUE7vvfTIZR3T85BgcY8YiJgOHTmarMF7Fb6kHB > mSLEVLWE1bY3aMKN7+SPjnkS7LZeCoMnhmXEQ2jcWCPUBQpv/hzjq6hgduOSoes= > =xNpJ > -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
