W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

Re: Consensus Call Re: [XMLHttpRequest] Publishing another draft

From: Daniel Veditz <dveditz@cruzio.com>
Date: Mon, 15 Oct 2007 10:33:59 -0700
Message-ID: <4713A487.7030200@cruzio.com>
To: "Web API WG (public)" <public-webapi@w3.org>

Section 1.2.1 seems to say that a conforming user agent SHOULD support the
TRACE method since TRACE is one of the RFC 2616 5.1.1 methods. Instead the
XHR spec should explicitly say that "a conforming user agent SHOULD NOT
support the TRACE or TRACK methods". (TRACK is used by old versions of IIS)

These two methods can be abused through XSS holes to recover HttpOnly
cookies and Http Authentication details. Mozilla browsers do not and will
not support these two methods. US-CERT has recommended servers disable
TRACE support since 2003 because of this problem, but many did not get the
message. http://www.kb.cert.org/vuls/id/867593

-Dan Veditz
Received on Tuesday, 16 October 2007 03:33:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:58 GMT