Bjoern Hoehrmann wrote: >> Not really sure how to fix this short of disabling the whole >> Access-Control-Policy-Path feature. Especially if we assume that there >> are other canonicalization behaviors out there as well. > > That would be a safe bet, for example, an Apache configuration like: > > RewriteCond %{QUERY_STRING} for=([^&;]+) > RewriteRule ^apis/search /scripts/%1.php [L] > > would map /apis/search?for=images to /scripts/images.php, but would > also map /apis/search?for=../admin/example to /admin/example.php in- > ternally, so posting to one would be like posting to the other. There > http://www.google.com/codesearch?q=query_string+rewriterule.*%251 are > quite a few techniques similar to this in use. I'm less concerned about this since this is much less likely to happen than someone simply using IIS. It is also arguable that this is simply how the server internally produces the resource for the API. I.e. it's not that different from if the server had a CGI on /apis/search that executed various server side executables based on the 'for' parameter. / JonasReceived on Tuesday, 27 May 2008 22:36:14 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 May 2008 22:36:15 GMT