On 2/20/08, Henri Sivonen <[EMAIL PROTECTED]> wrote: > On Feb 20, 2008, at 20:42, Mark Baker wrote: > > > It's not a new attack vector, because I can already use curl to send a > > GET message which causes the harm you're worried about. AFAICT, all > > that changes in a cross-site scenario is that the attacker uses the > > client as an anonymizer, something that can already be done with open > > proxies (of various flavours). > > > What changes is that the browser in on the other side of the firewall > unlike curl or an open proxy.
Hmm, good point. Come to think of it, we've discussed this before. But in that case, the attack is upon firewalls, not broken servers. So it seems to me that we'd only need to prevent hop-by-hop headers from being set (by treating the Connection header as immutable), as that's the only way in HTTP 1.1 to address an intermediary. What do you think? Mark. -- Mark Baker. Ottawa, Ontario, CANADA. http://www.markbaker.ca Coactus; Web-inspired integration strategies http://www.coactus.com
