The Sec-Metadata header worries me, because non-supporting browsers will allow XMLHttpRequest to spoof it. Adding Origin to all requests would at-least "gracefully" fall back if Origin's not there.
-
-
-
Basically every browser (including IE) bans XHR from setting headers with a ‘Sec-‘ prefix. It seems safe enough from that perspective. With regard to ‘Origin’,
@mikispag found some servers that explode of we send the header on every request. Need to do more research. -
Oh, well in that case, I like it :)
-
Great! Thanks for the feedback. :)
End of conversation
New conversation -
-
-
I now wish we'd written this in latex so I could finally "publish a paper" with columns of text and pretend to be an academic! :)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
One bit of feedback..it would be nice if each protection table mapped directly to the list of attacks outlined earlier. When scrolling through I’m like “does this protection address the polyglot attacks at all ??”.
End of conversation
New conversation
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
