- From: Willy Tarreau <w@1wt.eu>
- Date: Wed, 2 May 2012 07:24:14 +0200
- To: Mark Nottingham <mnot@mnot.net>
- Cc: IETF HTTP WG <ietf-http-wg@w3.org>
Hi Mark, On Wed, May 02, 2012 at 09:33:53AM +1000, Mark Nottingham wrote: > HTTP folk, > > Please have a look at this document and send along comments, especially if you're an intermediary or firewall person, or consume the existing X-Forwarded-For header. > > <http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-02> A quick note before it escapes my mind, for 8.2. Information leak : I would add : This header field must never be copied into response messages by origin servers or intermediaries for whatever reason as it can reveal the whole proxy chain to the client. As a side effect, Special care must be taken in hosting environments not to allow the TRACE request where the Forwarded field is used, as it would appear in the body of the response message. I'll probably have other comments and agree with those raised by Amos. Regards, Willy
Received on Wednesday, 2 May 2012 05:24:45 UTC