W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Jul 2014 09:04:34 +0200
To: Roberto Peon <grmocg@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140721070433.GN21834@1wt.eu>
On Sun, Jul 20, 2014 at 11:51:37PM -0700, Roberto Peon wrote:
> Don't get me wrong-- I think it'd be mostly fine.
> I also think, however, that this is a piece of information which is likely
> to contain sensitive information, and as a result, if we want to do
> something different than we do now, we should get it reviewed.
> 
> One simple example of how this makes stuff easier-- Since the path and
> query are separated, an attack that attacks the local state by acting as a
> malicious mitm of TCP packets may perform more attacks before the TCP recv
> window runs out.
> 
> Do I think that is a particularly strong weakness? No. However, it still
> needs review.

OK so I think we're in line then. Sure it needs to be reviewed, and I'm
not worried either (I guess whatever can be found on it will also affect
current state of the spec).

Willy
Received on Monday, 21 July 2014 07:08:11 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:09 UTC