- From: Andreas Petersson <andreas@sbin.se>
- Date: Tue, 22 Nov 2011 15:35:21 +0100
- To: ietf-http-wg@w3.org
On Fri, 18 Nov 2011 19:12:52 +1300 Amos Jeffries <squid3@treenet.co.nz> wrote: > Firstly, why the case for "unknown", "hidden" and obscured tokens. > Essentially "hidden" overlaps with obscured, except the cases where it > overlaps with "unknown". Would you agree with making it "_hidden", and > mentioned as an example case in 6.4 ? Agree, we can mention "_hidden" as an example for obfuscated a token. > The other thing, is that by name it appears superficially to be an > upgrade of X-Forwarded-For from Squid. Giving it a lot of consideration > as such I have come down to the conclusion that the cases where they are > a great danger of corrupting each other are many and the ways they can > be used together are few. > > I propose mandating that the X-Forwarded-For header MUST NOT be sent by > any software sending the Forwarded-For header. Probably under security > considerations since XFF is use securtiy checks very often. It seems > fairly safe to hash the XFF header and insert an obscured _hash token > into Forwarded-For marking a point where the data chain became broken. > Then erasing the received XFF header. > > As far as I can tell all other possible avenues of importing the XFF > relay trail into Forwarded-For lead to header corruption one way or > another as the request hops between chains of new and old software (new > being the Forwarded-For aware proxies). If anyone has other ideas for a > safe algorithm I'd welcome the input. > > AYJ > Both X-Forwarded-For and Forwarded will likely be emitted when you have no idea about the log capabilities at the receiving end. Forcing the X-Forwarded-For to be removed will make the upgrade path harder. You should probably be allowed to prepend (after a comparison with Forwarded) the X-Forwarded-For entries to the Forwarded, though. You should not trust neither X-Forwarded-For or Forwarded for security checks unless you have a certain level of control for the whole chain. If you have that control you should also know what headers are being sent. /Andreas Petersson
Received on Tuesday, 22 November 2011 14:36:04 UTC