- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 2 May 2012 15:26:45 +1000
- To: Willy Tarreau <w@1wt.eu>
- Cc: IETF HTTP WG <ietf-http-wg@w3.org>
Willy - It's best to send comments to the apps-discuss list; I was just passing this on. Cheers, On 02/05/2012, at 3:24 PM, Willy Tarreau wrote: > Hi Mark, > > On Wed, May 02, 2012 at 09:33:53AM +1000, Mark Nottingham wrote: >> HTTP folk, >> >> Please have a look at this document and send along comments, especially if you're an intermediary or firewall person, or consume the existing X-Forwarded-For header. >> >> <http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-02> > > A quick note before it escapes my mind, for 8.2. Information leak : > > I would add : > This header field must never be copied into response messages by origin > servers or intermediaries for whatever reason as it can reveal the whole > proxy chain to the client. As a side effect, Special care must be taken > in hosting environments not to allow the TRACE request where the Forwarded > field is used, as it would appear in the body of the response message. > > I'll probably have other comments and agree with those raised by Amos. > > Regards, > Willy > -- Mark Nottingham http://www.mnot.net/
Received on Wednesday, 2 May 2012 05:27:14 UTC