On Feb 20, 2008, at 20:42, Mark Baker wrote:
It's not a new attack vector, because I can already use curl to send a GET message which causes the harm you're worried about. AFAICT, all that changes in a cross-site scenario is that the attacker uses the client as an anonymizer, something that can already be done with open proxies (of various flavours).
What changes is that the browser in on the other side of the firewall unlike curl or an open proxy.
-- Henri Sivonen [EMAIL PROTECTED] http://hsivonen.iki.fi/
