W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: i19 Bodies on GET (and other) requests

From: William A. Rowe, Jr. <wrowe@rowe-clan.net>
Date: Tue, 16 Jan 2007 20:47:09 -0600
Message-ID: <45AD8E2D.3080903@rowe-clan.net>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: Mark Nottingham <mnot@mnot.net>, Scott Lawrence <scott@skrb.org>, "Roy T.Fielding" <fielding@gbiv.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

Henrik Nordstrom wrote:
> But the security issues related message bodies deserves a separate
> discussion in what can be done in the specs to improve the situation.

Security issues are caused by implementors.  Please reread the Watchfire
report carefully to observe all the ways an implementor can do so.

But don't cloud the spec solving a non-issue which the spec clearly
defined for interoperability.  No conforming server or proxy agent
was subject to the HTTP Request Splitting vulnerabilities.  (Which
is to say all were, but it was very clear in each case what the
implementor had done wrong.)
Received on Wednesday, 17 January 2007 02:48:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:41 UTC