Am Samstag, 15.02.03, um 01:39 Uhr (Europe/Berlin) schrieb Alex Rousskov: > > What is your opinion? Should TRACE be supported by default? Is it a > good idea to mention this "exposure" vulnerability in HTTP errata or > elsewhere? Hmm. Maybe one could exclude sensitive header such as Authorization, Cookie and Proxy-Authorization from TRACE responses. After all, 2616, ch. 9.8 says that the complete request SHOULD be send back. So, it's not a MUST and implementation might have a good reason for not doing so. Making life harder for such exploits seems like a good idea and it would allow to keep TRACE in the server. On the other hand - as it is stated also in the report - there is no protection against XSS-enabled clients. //StefanReceived on Monday, 17 February 2003 10:54:12 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:22 GMT