On Tue, Aug 12, 2008 at 7:17 PM, Chad innocentkiller@gmail.com wrote:
This being said, is a major performance impact worth it? How real a threat is this; is it _currently_ being exploited?
That's a pretty poor standard to use. If it's known to be *possible* for someone to steal large numbers of admins' cookies and/or passwords through some phishing scheme, it's of secondary concern whether anyone happens to be doing it at the moment.
Currently it's not possible, just because all ZIP uploads are blocked. This is of kind of suboptimally low granularity, is the problem. JAR really has no mandatory distinctive headers or anything?