- From: Stefan Eissing <stefan.eissing@greenbytes.de>
- Date: Mon, 17 Feb 2003 16:53:07 +0100
- To: Alex Rousskov <rousskov@measurement-factory.com>
- Cc: ietf-http-wg@w3.org
Am Samstag, 15.02.03, um 01:39 Uhr (Europe/Berlin) schrieb Alex Rousskov: > > What is your opinion? Should TRACE be supported by default? Is it a > good idea to mention this "exposure" vulnerability in HTTP errata or > elsewhere? Hmm. Maybe one could exclude sensitive header such as Authorization, Cookie and Proxy-Authorization from TRACE responses. After all, 2616, ch. 9.8 says that the complete request SHOULD be send back. So, it's not a MUST and implementation might have a good reason for not doing so. Making life harder for such exploits seems like a good idea and it would allow to keep TRACE in the server. On the other hand - as it is stated also in the report - there is no protection against XSS-enabled clients. //Stefan
Received on Monday, 17 February 2003 10:54:12 UTC