[cap-talk] Fwd: [cors] TAG request concerning CORS &Next Step(s)
Karp, Alan H
alan.karp at hp.com
Tue Jul 7 11:39:12 EDT 2009
Adam Barth wrote:
>
> The browser's security policy prevents this. If you can build a demo
> web site that forges the Origin header to finance.google.com in
> Firefox 3.5, you should file a security bug, and Mozilla will issue a
> patch to their users.
>
Thanks for your patience. Just one last note to make sure I understand. Code running on a page in the browser cannot set the Origin header, only the browser can do that. Bob's Finance could deliver to the user an application that does not run in the browser, but Acme Finance would still have a competitive advantage.
The threat is not that Bob's Finance will use the Acme Finance account, as I and I think others were assuming. The threat is that there is some way that Acme Finance will lose the competitive advantage that comes from having an account with Google Finance.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list