On Thu, 22 May 2008 11:29:51 +0200, Ian Hickson <[EMAIL PROTECTED]> wrote:
I'd vote for keeping it, with big warnings giving examples of how it can
go wrong if used on IIS servers, and with warnings to avoid using it with
mod_rewrite rules that map things out of the scope of the policy path.
If we start worrying about what happens with misconfigured servers, we're
going to end up paralysed. What about a server that's misconfigured to
delete its filesystem if you send it an OPTIONS request with a header it
doesn't recognise?
Ok, Access-Control-Policy-Path stays in. (An additional requirement for
this attack by the way is that the victim has a deal with the attacker or
that the attacker managed to get hold of a site that has a deal with
victim (in which case other bad stuff could happen as well).)
I used your example and that of Björn and added a pointer (within a big
red warning) from the definition of Access-Control-Policy-Path to the
security section where the situation is explained.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
