On 2/19/08, Anne van Kesteren <[EMAIL PROTECTED]> wrote: > The issue is that cross-site requests that are possible today for GET do > not involve arbitrary headers made up by the author. Therefore servers > could be vulnerable to cross-site GET requests that do have arbitrary > headers set. This is a new attack vector and has nothing to do with the > same-origin blacklist.
Hmm, I'm really not getting this... Can you describe one of these possible vulnerabilities for me please? And can you describe how it would only be triggered by a cross-site request and not a regular old GET on the same URL? Thanks. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
