W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2003

Re: XSS makes TRACE harmful?

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Mon, 17 Feb 2003 16:53:07 +0100
Cc: ietf-http-wg@w3.org
To: Alex Rousskov <rousskov@measurement-factory.com>
Message-Id: <E8530FEA-428F-11D7-802D-00039384827E@greenbytes.de>


Am Samstag, 15.02.03, um 01:39 Uhr (Europe/Berlin) schrieb Alex 
Rousskov:
>
> What is your opinion? Should TRACE be supported by default? Is it a
> good idea to mention this "exposure" vulnerability in HTTP errata or
> elsewhere?

Hmm. Maybe one could exclude sensitive header such as
Authorization, Cookie and Proxy-Authorization from TRACE responses.
After all, 2616, ch. 9.8 says that the complete request SHOULD
be send back. So, it's not a MUST and implementation might have
a good reason for not doing so. Making life harder for such
exploits seems like a good idea and it would allow to keep TRACE
in the server.

On the other hand - as it is stated also in the report - there is no
protection against XSS-enabled clients.

//Stefan
Received on Monday, 17 February 2003 10:54:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:22 GMT