On Mon, 17 Jul 2006, Mark Nottingham wrote: > > RFC2616 says that POST, PUT, DELETE and unrecognised request methods passing > through a cache MUST invalidate one or more cache entries (depending on the > values of the Location and Content-Location headers). > > http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.10 > > In my informal (and not yet complete) testing, I've only found one cache > implementation -- client or intermediary -- that actually does this. I've > tried to engage various vendors, etc. to fix it, but haven't seen much > interest. Good, my implementation seems to behave properly (although I didn't check with Location and Content-Location). In 13.10, there is also a paragraph about DoS invalidation attacks using fake Content-Location, and there is a assumption about "domain of control" of URIs: <<< In order to prevent denial of service attacks, an invalidation based on the URI in a Location or Content-Location header MUST only be performed if the host part is the same as in the Request-URI. >>> As having the same host does not mandate any kind of exclusive control over the content of a web server, should we downgrade this MUST in a SHOULD ? (or even delete it and put warning text about possible DoS attack) -- Yves Lafon - W3C "Baroula que barouleras, au tiéu toujou t'entourneras."Received on Tuesday, 18 July 2006 10:03:23 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:46 GMT