On Tue, Feb 19, 2008 at 1:10 AM, Anne van Kesteren <[EMAIL PROTECTED]> wrote: > > specification we'd have to chose a header name that starts with > > "Proxy-". There have been many other proposals for new > > security-related HTTP headers (e.g. content restrictions) so it would > > be nice to solve this issue in general. > > Comments like this do encourage me to introduce "Sec-" so we don't get a > whole bunch of fake "Proxy-" headers. (Note that not all clients blaclist > everything "Proxy-" yet.)
Please make sure to block setting the "Access-Control-Origin" header, or rename it to have a restricted prefix. If a page could use XMLHttpRequest to spoof this header for same-origin requests, it could use DNS rebinding to spoof this header in a request to an IP address of the attacker's choosing. If the target server was validating the Access-Control-Origin header but not the Host header, the server would think the request came from the wrong origin. -- Collin Jackson
