W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2003

Re: XSS makes TRACE harmful?

From: Stefan Eissing <stefan.eissing@greenbytes.de>
Date: Mon, 17 Feb 2003 16:53:07 +0100
Cc: ietf-http-wg@w3.org
To: Alex Rousskov <rousskov@measurement-factory.com>
Message-Id: <E8530FEA-428F-11D7-802D-00039384827E@greenbytes.de>

Am Samstag, 15.02.03, um 01:39 Uhr (Europe/Berlin) schrieb Alex 
> What is your opinion? Should TRACE be supported by default? Is it a
> good idea to mention this "exposure" vulnerability in HTTP errata or
> elsewhere?

Hmm. Maybe one could exclude sensitive header such as
Authorization, Cookie and Proxy-Authorization from TRACE responses.
After all, 2616, ch. 9.8 says that the complete request SHOULD
be send back. So, it's not a MUST and implementation might have
a good reason for not doing so. Making life harder for such
exploits seems like a good idea and it would allow to keep TRACE
in the server.

On the other hand - as it is stated also in the report - there is no
protection against XSS-enabled clients.

Received on Monday, 17 February 2003 10:54:12 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:36 UTC