On 2/20/08, Anne van Kesteren <[EMAIL PROTECTED]> wrote: > On Wed, 20 Feb 2008 07:07:33 +0100, Mark Baker <[EMAIL PROTECTED]> wrote: > > On 2/19/08, Anne van Kesteren <[EMAIL PROTECTED]> wrote: > >> The issue is that cross-site requests that are possible today for GET do > >> not involve arbitrary headers made up by the author. Therefore servers > >> could be vulnerable to cross-site GET requests that do have arbitrary > >> headers set. This is a new attack vector and has nothing to do with the > >> same-origin blacklist. > > > > Hmm, I'm really not getting this... > > > > Can you describe one of these possible vulnerabilities for me please? > > http://lists.w3.org/Archives/Public/public-appformats/2008Feb/0191.html
Google uses a header like that for GData, but it's only meaningful with POST requests, not GET requests; http://code.google.com/apis/gdata/basics.html Your premise seems to be that in the future, the community might rally around and widely deploy, brain-dead extensions which attempt to violate the fundamental semantics of HTTP, in this case the safety of GET messages. IMO, that's not a realistic concern. Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
