Ian Hickson schrieb: > On Thu, 8 Jun 2006, Charles McCathieNevile wrote: >>> Please be more specific. POST today allows *anything*. >> Well, POST allows you to send anything. DELETE and PUT actually have >> semantics that make them much more dangerous (and much more useful, if >> you're building very simple publishing systems). > > Just to be clear: from a security standpoint, none of those are a problem. > They all just affect the target host. There are FAR more dangerous > methods, for example CONNECT. The risk is not that the first-party server > might be attacked, since the first-party server is the only server we > _don't_ care about attacking. The risks are for things _other_ than the > first-party server. For example, a proxy server. > ... Speaking of which, if this is a security problem: why hasn't it been fixed in Firefox 1.5 and/or IE 6SP2? Both seem to happily send CONNECT requests when asked for. Best regards, JulianReceived on Friday, 9 June 2006 07:43:13 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT