W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2008

Re: TRACK, was: LC comments.

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 13 Jun 2008 10:40:05 -0700
Message-ID: <4852B0F5.9000600@sicking.cc>
To: Julian Reschke <julian.reschke@gmx.de>
CC: Anne van Kesteren <annevk@opera.com>, Yves Lafon <ylafon@w3.org>, public-webapps@w3.org

Julian Reschke wrote:
> 
> Anne van Kesteren wrote:
>>> Well, magic is quite scary, I'd rather have a statement explaining 
>>> roughly what TRACK is about (something non standard, not well 
>>> documented, and quite similar in functionnality to TRACE).
>>
>> The specification says "Note: TRACK poses a security issue to legacy 
>> server deployments." What is not good about that?
> 
> TRACK is specific to a legacy version of IIS, and not documented 
> anywhere (right?).
> 
> So, I think the proper way to deal with this is either to be silent, or 
> to add this as an implementor's note in an appendix.
> 
> Requiring implementors to put in workarounds for something that is 
> neither documented nor shipping in current server versions is really 
> hard to accept.

Given that all browsers today have chosen to block this method, and are 
likely to continue to do so, it seems prudent to tell users of the 
interface about this, so that they don't try to use the method.

If you want to put this as a Note in the spec, or as a normative part of 
the spec matters less to me. However I don't see a reason not to make it 
normative since it's not going to change for any web browser.

/ Jonas
Received on Friday, 13 June 2008 17:43:47 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:25 GMT