W3C home > Mailing lists > Public > public-webapi@w3.org > October 2007

Re: Consensus Call Re: [XMLHttpRequest] Publishing another draft

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 16 Oct 2007 12:13:19 +0200
To: "Daniel Veditz" <dveditz@cruzio.com>, "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.t0ab0hxd64w2qv@annevk-t60.oslo.opera.com>

On Mon, 15 Oct 2007 19:33:59 +0200, Daniel Veditz <dveditz@cruzio.com>  
> Section 1.2.1 seems to say that a conforming user agent SHOULD support  
> the TRACE method since TRACE is one of the RFC 2616 5.1.1 methods.  
> Instead the XHR spec should explicitly say that "a conforming user agent  
> support the TRACE or TRACK methods". (TRACK is used by old versions of  
> IIS)
> These two methods can be abused through XSS holes to recover HttpOnly
> cookies and Http Authentication details. Mozilla browsers do not and will
> not support these two methods. US-CERT has recommended servers disable
> TRACE support since 2003 because of this problem, but many did not get  
> the message. http://www.kb.cert.org/vuls/id/867593

CONNECT is also a security issue. The SHOULD-level requirement is about  
supporting arbitrary HTTP methods, not TRACE, CONNECT, and apparently  
TRACK, specifically. The open() algorithm allows user agents to throw a  
SECURITY_ERR exception for methods with security implications though it  
doesn't call the known ones out explicitly. It probably should.

How to deal with HTTP methods is a bit unclear at the moment. Generally  
speaking Firefox supports arbitrary HTTP methods though it uses some  
case-insensitive hash table which violates HTTP. Internet Explorer 7  
doesn't support them, uses a whitelist, and throws an exception for  
unknown methods. Opera doesn't either, and uses GET requests for unknown  

Anne van Kesteren
Received on Tuesday, 16 October 2007 10:13:31 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:24 UTC