On Mon, 05 Nov 2007 03:25:39 -0500, Jonas Sicking <[EMAIL PROTECTED]> wrote:
I have heard arguments that the site might not want to broadcast who it is authorizing. However this could effectively be figured out still by simply brute-force testing all interesting servers and methods directly from an evil server to the target server. No browser involved, simply send HTTP requests containing Referer-Root and Method-Check headers.
This wouldn't work if you had to authorize (either through cookies or HTTP authentication) before getting to the actual document.
Another thing that occurred to me is does HTTP caches take the full set of request headers into account when caching? Otherwise it could be directly harmful to include Referer-Root and Method-Check headers. The cache might store an "authorize" reply when the request is made for Referer-Root A and wrongly respond with the same document is checked for Referer-Root B.
The authentication request cache is a seperate thing that uses the Referer-Root and request URI as "primary key". Or do you mean something else?
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
