- From: Balint Nagy Endre <bne@bne.ind.eunet.hu>
- Date: Tue, 12 Sep 1995 05:07:09 +0200 (MET DST)
- To: Roy Fielding <fielding@beach.w3.org>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Roy Fielding: > > A proxy cannot forward a method it doesn't understand. Shel Kaphan: > >Why not? It seems to me this places an unnecessary limitation on the > >protocol without reason. (OK, you might have a reason, but you didn't > >state it, and it isn't obvious). Roy: > Because the semantics of the method determine whether or not the > request contains content and/or the response contains content, > and whether or not the request is intended for the immediate > server (possibly a proxy), all servers along the request route, > or just the origin server. See an other message from Shel about this. > No firewall proxy will ever forward an action that it doesn't > know the consequences of. In order to experiment with new methods, > all servers along the request/response chain must have a common > understanding of the semantics of the method. I'm using the plug-gw from TIS firewall toolkit to gateway NNTP since may. (I have a 2-5 node LAN, and I use Netscape to read news. I need the gateway because my LAN is not advertised by any routing protocol - I even choosed IP addresses for the LAN, belonging to private address range.) Now I installed the same plug-gw to forward HTTP. When I configure lynx to use http proxy at 10.1.2.3:8083 (plug-gw) instead of 10.1.2.3:8080 (cern-httpd), should I consider a HTTP GET request as a security risk? (both proxies are configured to connect to the same outer proxy.) (in flame mode - yes, but really no.) And should I consider a HTTP BLAH request as a security risk? And how about a GET request with state-info extension? (or, using netscape, a GET with netscape cookie extension?) And what should I think, when I change back to cern-httpd? And what happens, when my wife does the same? (malfunction - my wife will get the response, sent to me and cached by cern-httpd, if the response does contain a valid last-modified header field.) And finally, what we should think about HTTP extensions and extension methods? (Sorry for provocation, but I really have fewer anwers than questions now.) Andrew. (Endre Balint Nagy) <bne@bne.ind.eunet.hu>
Received on Monday, 11 September 1995 20:16:45 UTC