On Thu, 9 Apr 2009, Bil Corry wrote:
>
> For example, imagine instead you visit a malicious site, and it wants to
> phish your banking credentials. But rather than choosing a random bank
> and hoping you bank there, it instead launches a series of timing
> attacks against the top 30 banks, det
Adam Barth wrote on 4/9/2009 12:21 AM:
> On Wed, Apr 8, 2009 at 10:09 PM, Bil Corry wrote:
>> Using the above scenario, if Origin was populated and sent for all
>> same-origin requests (including GET), the website could simply redirect any
>> request for any protected resource that isn't same-o
On Wed, Apr 8, 2009 at 10:09 PM, Bil Corry wrote:
> Using the above scenario, if Origin was populated and sent for all
> same-origin requests (including GET), the website could simply redirect any
> request for any protected resource that isn't same-origin.
Then no one could link to the site.
Adam Barth wrote on 4/8/2009 11:23 PM:
> On Wed, Apr 8, 2009 at 1:32 PM, Bil Corry wrote:
>> BTW, one reason to do this is to help deter timing attacks. Any request
>> that arrives for the login page or a protected page that isn't same-origin
>> can be redirected to a common landing page.
>
>
On Wed, Apr 8, 2009 at 1:32 PM, Bil Corry wrote:
> BTW, one reason to do this is to help deter timing attacks. Any request that
> arrives for the login page or a protected page that isn't same-origin can be
> redirected to a common landing page.
This doesn't make much sense. People mount timi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Vladimir Vukicevic wrote:
> (I originally blogged this at
> http://blog.vlad1.com/2009/04/06/html5-web-storage-and-sql/, but
> Hixie rightfully pointed out that I should post it here for
> discussion -- doing so! Blog post is copied pretty much ver
(I originally blogged this at
http://blog.vlad1.com/2009/04/06/html5-web-storage-and-sql/, but Hixie
rightfully pointed out that I should post it here for discussion --
doing so! Blog post is copied pretty much verbatim below, so apologies
if it sounds more blog-y than post-y.)
There's been
Adam Barth wrote on 4/7/2009 11:54 AM:
> On Mon, Apr 6, 2009 at 2:09 PM, Bil Corry wrote:
>> Can we please include the Origin header for all same-origin requests,
>> including GET and HEAD? Or is there a compelling reason why not do to so?
BTW, one reason to do this is to help deter timing att
Adam Barth wrote on 4/8/2009 12:58 PM:
> On Wed, Apr 8, 2009 at 10:34 AM, Bil Corry wrote:
>> Is "draft-abarth-origin-00.txt" entirely compatible now with CORS-Origin?
>
> Yes, as far as I know. If you find any incompatibility, please let me
> know and I'll fix it.
That means CORS, HTML5 and y
Hi, Folks-
This is a reminder that we will NOT have a DOM 3 Events telcon today.
Stay tuned for next week.
Regards-
-Doug
On Wed, Apr 8, 2009 at 2:23 AM, Thomas Roessler wrote:
> Incidentally, just framing this as "XHR vs XDR" is a bit simplistic: E.g.,
> one could imagine a method "enableCrossSiteRequests" (or something like
> that) which needs to be invoked before XHR can do cross site requests.
Oh, indeed. I did
On Wed, Apr 8, 2009 at 10:34 AM, Bil Corry wrote:
> Is "draft-abarth-origin-00.txt" entirely compatible now with CORS-Origin?
Yes, as far as I know. If you find any incompatibility, please let me
know and I'll fix it.
Adam
Adam Barth wrote on 4/7/2009 4:36 PM:
>>
>>HTML5:
>> http://www.whatwg.org/specs/web-apps/current-work/multipage/history.html#navigate-fragid-step
>>Barth: http://www.ietf.org/internet-drafts/draft-abarth-origin-00.txt
>
> These two, at least, are the same. We separated the XXX-
Hi Rainer,
> On Mon, Mar 2, 2009 at 2:56 PM, Hillebrand, Rainer
> wrote:
> RH: I would recommend not to standardize a base security policy for all
> markets on the world. It would take too long. However, we might want to
> discuss for Widgets 2.0 whether we would try agreeing on a security fram
On Fri, Apr 3, 2009 at 11:17 AM, wrote:
> Well,
>
> the ZIP file specification does say that all values are stored in
> little-endian byte order unless otherwise specified. The local file header
> signature is the four bytes 50 4B 03 04, in this order, always. Endianness
> is not even an issue, i
On 8 Apr 2009, at 18:31, Robert Sayre wrote:
On Wed, Apr 8, 2009 at 1:18 AM, Michael(tm) Smith wrote:
Thomas Roessler , 2009-04-06 11:19 +0200:
(The http-wg discussion looked ill-informed; among other things,
they didn't
understand the relationship with CORS.)
Why would they? The Origi
On Wed, Apr 8, 2009 at 1:18 AM, Michael(tm) Smith wrote:
> Thomas Roessler , 2009-04-06 11:19 +0200:
>
>> (The http-wg discussion looked ill-informed; among other things, they didn't
>> understand the relationship with CORS.)
Why would they? The Origin header seems to be the solution to many
pr
On Apr 6, 2009, at 6:46 AM, ext Marcos Caceres wrote:
I had a discussion with Anne on IRC about using the Storage interface
and XHR [1]. He recommended that we recommend support for Storage only
on user agents that support HTML5. With regards to XHR, the same
applies: it would be a property of t
The XML Security WG would like to refine the question about the
suitability of elliptic curve as a mandatory to implement algorithm
for XML Signature 1.1 by highlighting that the scope of elliptic
curve is greatly limited in what is proposed to be mandatory in XML
Signature 1.1.
As T
On 8 Apr 2009, at 02:29, Jonas Sicking wrote:
But it's for a limited time. In a few years hopefully all browsers
supports cross site XHR. And if you can already today follow the
advice that you should not rely on XHR not honoring your request just
because it's a cross site URI.
You are propos
hey, both of your messages were marked by gmail as phishing (they
claim the sender isn't who it appeared to be). Is this normal? Is it
because of the mailing list?
This means that people like me might not have seen either message.
21 matches
Mail list logo
