Re: consensus on :query ? from Greg Wilkins on 2014-07-21 (ietf-http-wg@w3.org from July to September 2014)

From: Greg Wilkins <gregw@intalio.com>
Date: Mon, 21 Jul 2014 11:50:50 +1000
To: Roberto Peon <grmocg@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAH_y2NEX9a8fyW3n=_1x5m6zfCjONCjEGceX+WHZ2gx_V--h9g@mail.gmail.com>

I'm +0 for this, in that I think it is a good idea, but not something that
is a must have.
We already imply the scheme, cut out the authority, so why not complete the
decomposition.

cheers



On 21 July 2014 11:33, Roberto Peon <grmocg@gmail.com> wrote:

> One doesn't have to guess path + query, one only guess the query.
> In some scenarios, this enhances the attacker's ability to probe.
> The question is, does it do so enough for us to care.
>
> -=R
>
>
> On Sun, Jul 20, 2014 at 2:05 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>
> wrote:
>
>> In message <CAP+FsNfy-3V_BRcqa1ATts7SgX=
>> hqEDvtK7LjuA5iHAG3gaBEQ@mail.gmail.com>
>> , Roberto Peon writes:
>>
>> >It could make guessing things potentially easier.
>>
>> Please explain ?
>>
>> --
>> Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
>> phk@FreeBSD.ORG         | TCP/IP since RFC 956
>> FreeBSD committer       | BSD since 4.3-tahoe
>> Never attribute to malice what can adequately be explained by
>> incompetence.
>>
>
>


-- 
Greg Wilkins <gregw@intalio.com>
http://eclipse.org/jetty HTTP, SPDY, Websocket server and client that scales
http://www.webtide.com  advice and support for jetty and cometd.

Received on Monday, 21 July 2014 01:51:19 UTC