Ian Hickson wrote:
On Mon, 11 Feb 2008, John Panzer wrote:
My point here is just that there are existing mechanisms that are
already deployed in the field to deal with these attacks. And to plead,
as a side note, not to block the use of such mechanisms for AC4CSR...
I'm not sure we could block them if we tried. :-)
(Though they might need to use different headers, of course -- we
obviously can't allow scripts doing cross-origin requests to arbitrarily
change HTTP authenticiation headers.)
Sorry, it's not obvious to me. We're talking about a situation where
the server has explicitly opted in to CSRs. I can understand not
sending authorization data from the browser itself by default, maybe,
but to block scripts from setting a header seems unnecessary and will
just lead to X-Authorization:.
