W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: Fwd: WGLC: draft-ietf-appsawg-http-forwarded-02.txt

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 2 May 2012 07:24:14 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: IETF HTTP WG <ietf-http-wg@w3.org>
Message-ID: <20120502052414.GJ10028@1wt.eu>
Hi Mark,

On Wed, May 02, 2012 at 09:33:53AM +1000, Mark Nottingham wrote:
> HTTP folk,
> 
> Please have a look at this document and send along comments, especially if you're an intermediary or firewall person, or consume the existing X-Forwarded-For header.
> 
> <http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-02>

A quick note before it escapes my mind, for 8.2. Information leak :

I would add :
   This header field must never be copied into response messages by origin
   servers or intermediaries for whatever reason as it can reveal the whole
   proxy chain to the client. As a side effect, Special care must be taken
   in hosting environments not to allow the TRACE request where the Forwarded
   field is used, as it would appear in the body of the response message.

I'll probably have other comments and agree with those raised by Amos.

Regards,
Willy
Received on Wednesday, 2 May 2012 05:24:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 May 2012 05:24:53 GMT