- From: Yves Lafon <ylafon@w3.org>
- Date: Tue, 18 Jul 2006 12:02:20 +0200 (MEST)
- To: Mark Nottingham <mnot@mnot.net>
- cc: HTTP Working Group <ietf-http-wg@w3.org>
On Mon, 17 Jul 2006, Mark Nottingham wrote:
>
> RFC2616 says that POST, PUT, DELETE and unrecognised request methods passing
> through a cache MUST invalidate one or more cache entries (depending on the
> values of the Location and Content-Location headers).
>
> http://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html#sec13.10
>
> In my informal (and not yet complete) testing, I've only found one cache
> implementation -- client or intermediary -- that actually does this. I've
> tried to engage various vendors, etc. to fix it, but haven't seen much
> interest.
Good, my implementation seems to behave properly (although I didn't check
with Location and Content-Location).
In 13.10, there is also a paragraph about DoS invalidation attacks using
fake Content-Location, and there is a assumption about "domain of control"
of URIs:
<<<
In order to prevent denial of service attacks, an invalidation based
on the URI in a Location or Content-Location header MUST only be
performed if the host part is the same as in the Request-URI.
>>>
As having the same host does not mandate any kind of exclusive control
over the content of a web server, should we downgrade this MUST in a
SHOULD ? (or even delete it and put warning text about possible DoS
attack)
--
Yves Lafon - W3C
"Baroula que barouleras, au tiéu toujou t'entourneras."
Received on Tuesday, 18 July 2006 10:03:23 UTC