Re: FYI... Binary Optimized Header Encoding for SPDY

On 07.08.2012 06:53, Martin Nilsson wrote:
> The HTTP proxy syntax is an ongoing source for security issues, due
> to too  relaxed pattern matching.
> GET HTTP/1.1
> GET HTTP/1.1
> GET HTTP/1.1

What "proxy syntax"? All I see there is a bunch of absolute-URI for

Splitting this into pieces on-wire and then re-assembling them into the 
same canonical URL before pattern matching will not result in admin 
people suddenly knowing safer patterns. The ones having trouble now 
already fail to use the tools provided correctly...

This would require re-writing most RFCs to handle new URL syntax, and 
we would have to maintain backward-compatibility and accept these forms 
anyway - which means no gain. Abolishing the second form would be nice 
to avoid credentials leakage in HTTP when its used as a Basic-auth 
substitute. But then again its used for a lot more than basic auth these 
days. Think salting parameter, three-legged auth algorithm name(s), 
domain realm, session ID, etc.


Received on Monday, 6 August 2012 23:40:49 UTC