On Tue, 15 Jan 2008 17:44:35 +0100, David Orchard <[EMAIL PROTECTED]> wrote:
If Cookies would be sent as part of more requests because of deployment of the Access Control spec, then isn't this spec opening a new attack vector? I understand your point that cookies are already sent under img, script and form, but this is something newer and in addition to those.
I think I disagree. The (type of) request is identical. Especially since it's about the request and not about the protocol that issues the request.
-- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
