Details
-
Bug
-
Resolution: Fixed
-
Medium
-
0.1, 0.2, 0.3, 0.3.1, 0.3.2, 0.3.3
-
None
-
None
-
Firefox 1.5, Firefox 2.0, Camino
Description
The use of the HTTP accept header as an authentication factor is unreliable when Mozilla based browsers are used.
By default Mozilla based browsers will send an accept header similar to the following:
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
However this changes when requesting an image embedded via the HTML IMG element
Accept: image/png,*/*;q=0.5
It's also worth noting that Firefox will request javascript sourced via a SCRIPT element with
Accept: */*
I think in light of this, the use of the accept header as an authentication factor isn't very reliable as the semantics of this header means it may vary at will.