[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
David Barrett
dbarrett at quinthar.com
Tue Sep 27 19:46:57 UTC 2005
> On 9/27/05, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> Well, if Javascript allows the browser to fake a human being without
>> the
>> user being aware of it, I think there's nothing serious we can do
>> against it.
Well, there are *some* limits to what a JavaScript page can do. For
example, is it possible for a JavaScript page from "bad.com" to issue a
request to "other.com" with a forged Referer header from "good.com"?
It's my impression that Referer is a read-only property, and thus can't
be spoofed with a typical request. And using an XML HTTP request is
limited to the origin domain (in this case, "bad.com"). Am I missing
another option?
(Naturally native code using a simple socket can spoof anything, but I'm
taking about what's possible in JavaScript without popping up security
warnings.)
-david
More information about the P2p-hackers
mailing list