W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2000

Re: webmail vulnerabilities: a new pragma token?

From: Mark Nottingham <mnot@pobox.com>
Date: Thu, 20 Jan 2000 11:46:13 +1100
To: Peter W <peterw@usa.net>
Cc: http-wg@cuckoo.hpl.hp.com
Message-ID: <20000120114613.C18872@i.mnot.net>

Just a reminder- Pragma: no-cache is a request header, not a response header.

Also, RFC2616 says that 'No new Pragma directives will be defined in HTTP'.
That seems to preclude this use of it.


On Wed, Jan 19, 2000 at 08:45:00AM -0500, Peter W wrote:
> Before making this suggestion to client app vendors, I would very much
> appreciate the comments of this working group.
> Background:
> On the Bugtraq security discussion mailing list[1], there has been much
> conversation of late about webmail vulnerabilities. Essentially, the
> webmail sites offer HTTP/HTML frontends to read Internet mail. They
> normally can display HTML-encoded email. Such systems usually try to
> remove all scripting code from email before displaying it. This is to
> prevent those scripts from being executed in a way that might exploit
> current client scripting lnguage problems, or simply exploit the trust
> that a user might normally place in the site running the webmail frontend.
> Suggestion:
> It would be nice if there were on an HTTP header that, if sent to the
> client, would cause the client to disable javascript, vbscript, etc. for
> that document only. Sites who wished to display untrusted pages (webmail
> sites, web discussion forums, etc.) could then use a multi-frame layout.
> Any frame that contained untrusted code would have this header included in
> the delivery of its content to ensure that the scripts would not be
> evaluated, regardless of the normal client settings; other frames, whose
> "trusted" documents would be sent without this header, would still be able
> to use scripting (if enabled on the client).
> May I suggest
> Pragma: disable-scripting
> which I suppose means a no-cache page would be sent with
> Pragma: no-cache, disable-scripting
> Per RFC 2616, all Pragma headers must be passed to the client by all proxy
> server or gateway applications. So this header would be passed to the
> client application, as desired. But is it an acceptable use for "Pragma"?
> Comments, suggestions?
> -Peter
> http://www.bastille-linux.org/ : working towards more secure Linux systems
> [1] http://www.securityfocus.com/

Mark Nottingham, Melbourne Australia 
Received on Thursday, 20 January 2000 00:59:32 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:24 UTC