[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Tyler Close
tyler.close at gmail.com
Tue Sep 27 20:08:18 UTC 2005
Hi David,
On 9/27/05, David Barrett <dbarrett at quinthar.com> wrote:
> > On 9/27/05, Antoine Pitrou <solipsis at pitrou.net> wrote:
> >> Well, if Javascript allows the browser to fake a human being without
> >> the
> >> user being aware of it, I think there's nothing serious we can do
> >> against it.
>
> Well, there are *some* limits to what a JavaScript page can do. For
> example, is it possible for a JavaScript page from "bad.com" to issue a
> request to "other.com" with a forged Referer header from "good.com"?
If the page from bad.com or good.com is an https page, other.com will
not receive a Referer header from either and so cannot tell the
difference between bad.com and good.com.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/extensions/moreinfo.php?id=957
More information about the P2p-hackers
mailing list