- From: Steingruebl, Andy <asteingruebl@paypal-inc.com>
- Date: Thu, 20 Jan 2011 17:07:22 -0700
- To: Michal Zalewski <lcamtuf@coredump.cx>
- CC: Brandon Sterne <bsterne@mozilla.com>, Adam Barth <w3c@adambarth.com>, "public-web-security@w3.org" <public-web-security@w3.org>, Sid Stamm <sid@mozilla.com>, Lucas Adamski <ladamski@mozilla.com>
> -----Original Message----- > From: Michal Zalewski [mailto:lcamtuf@coredump.cx] > > Possibly, but IIRC, this does not happen today with <img>, <script>, etc. IIRC, > Any codes other than 30x and 401 (and possibly other obscure cases) are > essentially treated as 200. I suppose this is in line with the tradition of > ignoring other HTTP information in these cases (Content-Type, Content- > Disposition), although there are some efforts to improve at least that last > part. Any history on why this is the case? And, what would break if this behavior changed? For example, we've never seen a case in recent history where any browser will execute the embedded script in your example when the page is a 302 for example, and yet some vuln scanners still complain about this issue. I realize lots of people have rich 404-pages, but how much would we really break if we turned that off? No "dynamic content" on a 404? Or, some other heuristic which covers your include case safely, but doesn't impact people's existing 404-pages that embed content. - Andy
Received on Monday, 24 January 2011 17:58:07 UTC