- From: Adrien de Croy <adrien@qbik.com>
- Date: Sat, 18 Jul 2009 00:55:02 +1200
- To: HTTP Working Group <ietf-http-wg@w3.org>
I raised this a while back but there was no real comment on it (that I saw). I've been doing a bit more thinking on this. The scenario that has me concerned is where there's a request in the form of an Absolute-URI to a proxy, but the host in the Absolute-URI doesn't match the host in the Host header. When a proxy receives such a request, if it doesn't look for consistency between these 2 values, it would use the host in the URI, and connect to that, and send the original untouched Host header (denoting some other host and/or port than the one connected to). This has several possible problems. 1. If the request is then intercepted by another proxy (not uncommon), it may only have the information (bogus) in the Host header to make a connection based on. 2. If the request goes to a server, the other host may also be hosted there. This could end up only bypassing security, or worse. Is this an opportunity for a XSS attack? Do any browsers allow script to alter the host header in requests? Should a proxy be concerned about this possibility? If so, what should it do? a) rewrite the Host header always with the host from the URI regardless. b) bounce the request with a 400 if they don't match or something else? My preference would be b, but does that break any valid uses? Regards Adrien -- Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Friday, 17 July 2009 12:52:13 UTC