W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC: draft-ietf-appsawg-http-forwarded-02.txt

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 2 May 2012 15:26:45 +1000
Cc: IETF HTTP WG <ietf-http-wg@w3.org>
Message-Id: <788A384A-72F8-458D-A345-F1BD8BE16269@mnot.net>
To: Willy Tarreau <w@1wt.eu>
Willy - 

It's best to send comments to the apps-discuss list; I was just passing this on.

Cheers,


On 02/05/2012, at 3:24 PM, Willy Tarreau wrote:

> Hi Mark,
> 
> On Wed, May 02, 2012 at 09:33:53AM +1000, Mark Nottingham wrote:
>> HTTP folk,
>> 
>> Please have a look at this document and send along comments, especially if you're an intermediary or firewall person, or consume the existing X-Forwarded-For header.
>> 
>> <http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-02>
> 
> A quick note before it escapes my mind, for 8.2. Information leak :
> 
> I would add :
>   This header field must never be copied into response messages by origin
>   servers or intermediaries for whatever reason as it can reveal the whole
>   proxy chain to the client. As a side effect, Special care must be taken
>   in hosting environments not to allow the TRACE request where the Forwarded
>   field is used, as it would appear in the body of the response message.
> 
> I'll probably have other comments and agree with those raised by Amos.
> 
> Regards,
> Willy
> 

--
Mark Nottingham   http://www.mnot.net/
Received on Wednesday, 2 May 2012 05:27:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 2 May 2012 05:27:19 GMT