Re: Possible risk with Mandatory

From: Henrik Frystyk Nielsen (frystyk@w3.org)
Date: Fri, Aug 07 1998


Message-Id: <3.0.5.32.19980807141004.034a68f0@localhost>
Date: Fri, 07 Aug 1998 14:10:04 -0400
To: John Stracke <francis@netscape.com> (by way of Henrik Frystyk Nielsen <frystyk@w3.org>), ietf-http-ext@w3.org
From: Henrik Frystyk Nielsen <frystyk@w3.org>
Subject: Re: Possible risk with Mandatory

At 04:35 7/2/98 -0400, John Stracke wrote:
>I don't think this is even a violation of RFC-2068, which
>reads:

It is not a violation that Apache passes the method on to the script but it
is a violation if the script ignores it. As you say, many scripts currently
(and probably always will) ignore the method which will cause a lot of
damage trying to extend HTTP, not only for Mandatory, but also for WebDav,
etc.

>Note that I'm not on the list or anything; I thought of this
>when we were considering using Mandatory in WebDAV, and
>thought I'd pass it along.

What's the status of this? I have just submitted a new version which should
cover all open issues on the issues list.

What do people think about this? In many cases, the extended request will
also result in an extended response (as there is extended information to
send in both directions) and in this situation the CGI trap can be discovered.

Henrik
--
Henrik Frystyk Nielsen,
World Wide Web Consortium
http://www.w3.org/People/Frystyk