W3C home > Mailing lists > Public > xmlp-comments@w3.org > June 2001

RE: XML Protocol: Proposals to address SOAPAction header

From: Larry Masinter <LMM@acm.org>
Date: Sat, 9 Jun 2001 21:55:43 -0700
To: "Henrik Frystyk Nielsen" <henrikn@microsoft.com>, "Simon Fell" <soap@zaks.demon.co.uk>, <xml-dist-app@w3.org>, <xmlp-comments@w3.org>
Message-ID: <NDBBKEBDLFENBJCGFOIJAEBEFBAA.LMM@acm.org>
> - I would be interested in hearing what you think about that
> 
>   http://lists.w3.org/Archives/Public/xml-dist-app/2001May/0053.html
> 

I don't see how this has fixed the problem, though:

# The presence and content of the SOAPAction header field MAY be used by
# servers such as firewalls to appropriately filter SOAP HTTP request
# messages and it may be used by servers to facilitate dispatching of SOAP
# messages to internal message handlers etc. It SHOULD NOT be used as an
# insecure form of access authorization. 

* Exactly how is it that a firewall might use a SOAPAction header
 to "appropriately" filter SOAP HTTP request messages?
 As far as I can tell, there's not enough information to decide
 which requests with which SOAP action headers the firewall should
 accept, and which it should reject, or even what a firewall that
 rejects such a message should signal its rejection. Treat it as
 an attack? The main purpose of firewall filtering is to prevent
 unwanted or malicious traffic, but there's no reason to believe that
 malicious SOAP messages would contain a correct SOAPAction header.
 So I don't think the first application "appropriate filter SOAP
 HTTP request methods" has been reasonably justified, at least in
 this fragment of text.

* The second application for SOAPAction headers given is that
  it "may be used by servers to facilitate dispatching", but
  the only way that a server might use a SOAPAction header would
  be if there were some specification of which kind of SOAPAction
  headers should be dispatched and which should not, and where
  they should be dispatched. Is the SOAPAction header like another
  kind of RequestURI? 

So I think this attempted clarification does nothing
to respond to the criticism that the value of the SOAPAction
header is not specified well enough for it to be used for
its stated purposes.

Larry
-- 
http://larry.masinter.net
Received on Sunday, 10 June 2001 00:57:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 October 2009 08:42:26 GMT