W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2006

Re: Invalidation after updates or deletions

From: Yves Lafon <ylafon@w3.org>
Date: Tue, 18 Jul 2006 12:02:20 +0200 (MEST)
To: Mark Nottingham <mnot@mnot.net>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <Pine.GSO.4.64.0607181157570.22633@gnenaghyn.vaevn.se>

On Mon, 17 Jul 2006, Mark Nottingham wrote:

>
> RFC2616 says that POST, PUT, DELETE and unrecognised request methods passing 
> through a cache MUST invalidate one or more cache entries (depending on the 
> values of the Location and Content-Location headers).
>
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.10
>
> In my informal (and not yet complete) testing, I've only found one cache 
> implementation -- client or intermediary -- that actually does this. I've 
> tried to engage various vendors, etc. to fix it, but haven't seen much 
> interest.

Good, my implementation seems to behave properly (although I didn't check 
with Location and Content-Location).

In 13.10, there is also a paragraph about DoS invalidation attacks using 
fake Content-Location, and there is a assumption about "domain of control"
of URIs:

<<<
    In order to prevent denial of service attacks, an invalidation based
    on the URI in a Location or Content-Location header MUST only be
    performed if the host part is the same as in the Request-URI.
>>>
As having the same host does not mandate any kind of exclusive control 
over the content of a web server, should we downgrade this MUST in a 
SHOULD ? (or even delete it and put warning text about possible DoS 
attack)

-- 
Yves Lafon - W3C
"Baroula que barouleras, au tiéu toujou t'entourneras."
Received on Tuesday, 18 July 2006 10:03:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:46 GMT