On Wed, 25 Jul 2007 15:52:06 +0200, Jonas Sicking <[EMAIL PROTECTED]> wrote:
The part I'm worried about is that the Authorization header will be picked up by your (the authors) web sever. However Proxy-Authorization will be picked up by the proxy. Using this you can potentially launch a distributed brute-force password attack against a company proxy. This is why I'm in general thinking that disallowing Proxy-* might be a good idea.
Ok, fair enough: http://dev.w3.org/cvsweb/~checkout~/2006/webapi/XMLHttpRequest/Overview.html?content-type=text/html;%20charset=utf-8#setrequestheader
Is that better? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
