W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Content security model

From: Albert Lunde <atlunde@panix.com>
Date: Wed, 25 Jul 2012 12:59:19 -0500
Message-ID: <501033F7.8040805@panix.com>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
> HTTP does have a similar conflation, but nowhere near as severe.
> Content is mostly confined to the body and Routing is strictly
> confined to the Head. The parts that cross the line are
> Content-Encoding and Content-Type. Both of which are ignored in a Web
> Services context almost all the time.  Yes, a Web Service could
> support multiple character encodings but I cannot see any case where I
> would want the service to use Content-Encoding to make the choice.

This seems like a reasonable position for web services, but HTTP is also 
a transport for HTML in the context of web browsers, which when mixed 
with JavaScript and dynamic HTML, have done a remarkable job of 
confusing content with metadata, and declarative markup with 
Turning-complete languages.

There must be some security attacks which involve corrupting the headers 
or the request. Maybe HTTP/2.0 will have better framing to resist this.

"HTTP Request Splitting" comes to mind, or maybe adding a 
Content-Disposition header.

You may be right, though that it's easier to apply some kinds of 
security (signing or encryption) to a payload.
Received on Wednesday, 25 July 2012 17:59:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:03 UTC