In the spec for Server Sent Events, it says
Authors should check the origin attribute to ensure that messages are only accepted from domains that they expect to receive messages from. Otherwise, bugs in the author's message handling code could be exploited by hostile sites.
How one could possibly receive messages from domains without requesting it?
Wouldn't the fact that Server Sent Events are built on HTTP (TCP), make this impossible?
Aucun commentaire:
Enregistrer un commentaire