W3C home > Mailing lists > Public > public-appformats@w3.org > February 2008

Re: Cross-site Requests and Custom HTTP Headers

From: Jonas Sicking <jonas@sicking.cc>
Date: Tue, 26 Feb 2008 03:54:28 -0800
Message-ID: <47C3FDF4.2070605@sicking.cc>
To: mike amundsen <mca@amundsen.com>
Cc: Anne van Kesteren <annevk@opera.com>, John Panzer <jpanzer@acm.org>, "WAF WG (public)" <public-appformats@w3.org> 

mike amundsen wrote:
> I propose the following HTTP Headers be added to the white list:
> 
> Accept
> Accept-Language
> Accept-Ranges
> Age
> Allow
> Cache-Control
> Content-Disposition
> Content-Language
> Content-Location
> Content-MD5
> Content-Range
> Content-Type
> ETag
> Expect
> Expires
> From
> If-Match
> If-Modified-Since
> If-None-Match
> If-Range
> If-Unmodified-Since
> Last-Modified
> Location
> Max-Forwards
> Pragma
> Range
> Refresh
> Retry-After
> Server
> Transfer-Encoding
> User-Agent
> Vary
> Warning

So first off this whitelist only matters for GET requests. So headers 
that doesn't make sense for GET I don't see a reason to allow, that 
especially includes request headers.

I'm wondering what you based this list on, and why you think that these 
headers are all going to be safe? For example Content-MD5 (apart from 
the fact that it doesn't make sense for GET requests) seems dangerous if 
the server relies on it being truthful.

/ Jonas

/ Jonas
Received on Tuesday, 26 February 2008 11:55:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 26 February 2008 11:55:03 GMT