12 Oct 2007 11:41
Re: HTTP header registration question
Anne van Kesteren <annevk <at> opera.com>
2007-10-12 09:41:24 GMT
2007-10-12 09:41:24 GMT
On Fri, 12 Oct 2007 02:57:04 +0200, Martin Duerst <duerst <at> it.aoyama.ac.jp> wrote: > I have just realized that I haven't seen any security issues > for this proposal described or discussed, although I think > that there may be quite some security issues connected to > phishing, which should be carefully analysed and described. Actually, security considerations are discussed in http://dev.w3.org/2006/waf/access-control/#security > The scenario I'm thinking about is that a phishing site, > rather than as currently having to get the passwords from > the user to its server, and then from there contact the > real server, may be able to list the real server in > an Access-Control header and therewith may be able to > correspond directly between client and real server, > potentially circumventing some security checks that > were in place until now (e.g. a plausability check > for the IP address of the user,...). How would this work exactly? I don't understand the scenario. -- -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
RSS Feed