AQBARROS@BKB.com.br writes: >> What about HTTP headers which advise user agents to disable some >> features, e.g. read/write access to the document or parts of it via >> scripting or other Internet Explorer interfaces? > It is a very interesting idea, but it would take some years to start to take > effect, as non-compatible browsers would still be on the market for a few > years; Can't we find a solution that works on current browsers? This special HTTP header would instruct the client to _remove_ functionality which is unneeded. Old clients would continue to work (and leave the functionality enabled), they simply would not benefit from this additional restriction, and would have to rely on the traditional, error-prone access controls (Same Origin Policy and whatever rules exist out there). > Initially, I thought about encrypting cookie content with a server based > key. But this key should have some browser-derived component, something that > changes from one browser/computer to another; IP is not practical, as the > client can be behind a cluster of proxies. Is there something that the > browser shows only to the server and not for the client-side scripts? This so implementation-dependend that it cannot work in practice. -- Florian Weimer Weimer@CERT.Uni-Stuttgart.DE University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/ RUS-CERT fax +49-711-685-5898
