[p2p-hackers] Re: [rest-discuss] Re: RESTful authorization
Antoine Pitrou
solipsis at pitrou.net
Wed Sep 28 09:50:49 UTC 2005
> It's my impression that Referer is a read-only property, and thus can't
> be spoofed with a typical request. And using an XML HTTP request is
> limited to the origin domain (in this case, "bad.com").
Is this a design property of the ECMAscript standard or just an
implementation detail? If the latter, you can't expect that it will
always stay like this.
Also, you can't rely on Referer to enforce security rules because
Referer is not a mandatory header in HTTP, and it can be changed for
various reasons (privacy "enhancers" for example). You can use it in
heuristics to display various warning messages, but must not deny access
based on it.
I'm curious as to how "capability URLs" can't be stolen and re-used by a
malicious piece of Javascript like other URLs can. I've tried to read
the theoretical paper about "web calculus" but it's, well...
theoretical ;) Is there a concrete example somewhere?
(I'm not on rest-discuss so I may have missed some parts of the
discussion, so sorry if I'm asking redundant questions here)
> (Naturally native code using a simple socket can spoof anything, but I'm
> taking about what's possible in JavaScript without popping up security
> warnings.)
Of course.
regards
Antoine.
More information about the P2p-hackers
mailing list