- From: James M Snell <jasnell@gmail.com>
- Date: Fri, 10 May 2013 11:29:16 -0700
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Fri, May 10, 2013 at 10:36 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 9 May 2013 10:26, James M Snell <jasnell@gmail.com> wrote: >> Recommendation: Adding a short statement that a PROTOCOL_ERROR MUST be >> returned if a frame contains more bytes than what is expressly >> specified in the frame definition. > > That would prevent extension unnecessarily. And it doesn't do > anything to improve security. How does it prevent extension? If someone wants to extend an existing frame to include new data, it can define a new frame type. > > When you want to harden security, you need to consider what equivalent > options are available to an attacker. If I wanted to send you more > data, then I will use DATA frames. Unless you can find a way to > curtail DATA I see no reason to clamp down here. In my experience, it's generally better to limit the exploitation options ;-) - James
Received on Friday, 10 May 2013 19:31:19 UTC