- From: Scott Lawrence <scott-http@skrb.org>
- Date: 17 Feb 2003 11:43:01 -0500
- To: ietf-http-wg@w3.org
Alex Rousskov: > What is your opinion? Should TRACE be supported by default? Is it a > good idea to mention this "exposure" vulnerability in HTTP errata or > elsewhere? Stefan Eissing <stefan.eissing@greenbytes.de> writes: > Hmm. Maybe one could exclude sensitive header such as > Authorization, Cookie and Proxy-Authorization from TRACE responses. The entire value of TRACE lies in it being an exact copy; otherwise it's pretty worthless as a debugging mechanism. > On the other hand - as it is stated also in the report - there is no > protection against XSS-enabled clients. This exploit does not expose any user or application that is not already sending authentication credentials in clear over the net. Digest Authentication already solves this problem, and provides the session tracking (via the server nonce) that applications want as well, without exposing anything either on the net or to XSS clients. Trying to repair this "new" problem by changing TRACE is like fixing an abdominal bullet wound with a Band-Aid. -- Scott Lawrence Actively seeking work http://world.std.com/~lawrence/ [<lawrence@world.std.com> is deprecated]
Received on Monday, 17 February 2003 11:43:08 UTC