W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2000

RE: webmail vulnerabilities: a new pragma token?

From: Eric D. Williams <eric@infobro.com>
Date: Wed, 19 Jan 2000 22:32:19 -0500
Message-ID: <01BF62CD.4DF65430.eric@infobro.com>
To: "'Mark Nottingham'" <mnot@pobox.com>, Peter W <peterw@usa.net>
Cc: "http-wg@cuckoo.hpl.hp.com" <http-wg@cuckoo.hpl.hp.com>
Mark,

On Wednesday, January 19, 2000 7:46 PM, Mark Nottingham [SMTP:mnot@pobox.com] 
wrote:
>
> Just a reminder- Pragma: no-cache is a request header, not a response header.

This is as it should be.

> Also, RFC2616 says that 'No new Pragma directives will be defined in HTTP'.
> That seems to preclude this use of it.

But what Peter suggests is an extension-pragma and not a new Pragma directive 
e.g.

Pragma: no-cache, disable-scripting

and not;

Pragma: disable-scipting

The question that seems more apropos is what is the provider expecting from the 
client, not the converse.  Any implementor that decides to modify her client to 
extend Pragma: no-cache to Pragma: no-cache, disable-scripting should 
reasonably expect the server to have implemented a Reply with scripting 
disabled. OR should we expect the Response chain to ONLY disable those scripted 
elements it 'understands' or the client 'understands' - to me that is the 
dilemma.  What would the clients and servers [sic] be expected to expect. NPI

Eric


> Cheers,
>
>
> On Wed, Jan 19, 2000 at 08:45:00AM -0500, Peter W wrote:
> >
> > Before making this suggestion to client app vendors, I would very much
> > appreciate the comments of this working group.
> >
> > Background:
> >
> > On the Bugtraq security discussion mailing list[1], there has been much
> > conversation of late about webmail vulnerabilities. Essentially, the
> > webmail sites offer HTTP/HTML frontends to read Internet mail. They
> > normally can display HTML-encoded email. Such systems usually try to
> > remove all scripting code from email before displaying it. This is to
> > prevent those scripts from being executed in a way that might exploit
> > current client scripting lnguage problems, or simply exploit the trust
> > that a user might normally place in the site running the webmail frontend.
> >
> > Suggestion:
> >
> > It would be nice if there were on an HTTP header that, if sent to the
> > client, would cause the client to disable javascript, vbscript, etc. for
> > that document only. Sites who wished to display untrusted pages (webmail
> > sites, web discussion forums, etc.) could then use a multi-frame layout.
> > Any frame that contained untrusted code would have this header included in
> > the delivery of its content to ensure that the scripts would not be
> > evaluated, regardless of the normal client settings; other frames, whose
> > "trusted" documents would be sent without this header, would still be able
> > to use scripting (if enabled on the client).
> >
> > May I suggest
> >
> > Pragma: disable-scripting
> >
> > which I suppose means a no-cache page would be sent with
> >
> > Pragma: no-cache, disable-scripting
> >
> > Per RFC 2616, all Pragma headers must be passed to the client by all proxy
> > server or gateway applications. So this header would be passed to the
> > client application, as desired. But is it an acceptable use for "Pragma"?
> >
> > Comments, suggestions?
> >
> > -Peter
> >
> > http://www.bastille-linux.org/ : working towards more secure Linux systems
> >
> > [1] http://www.securityfocus.com/
> >
>
> --
> Mark Nottingham, Melbourne Australia
> http://www.mnot.net/
Received on Thursday, 20 January 2000 03:35:30 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:35 EDT