W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

p1: additional security considerations

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 23 Apr 2013 16:02:22 +1000
Message-Id: <43ED2599-CE89-4C0C-8EEF-E3A6200E8662@mnot.net>
To: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Just wondering if we need to explicitly point out the security considerations around the following:

* Message routing -- it's somewhat common AIUI for intermediaries to only route on the Host header, for performance reasons; i.e., they do not reconstruct the effective request URI (as required by p1 5.5). I know there's a theoretical risk here, but is there a real-world risk that we should point out?

* Message delimitation - the consequences for getting message delimitation wrong (whether it's regarding multiple content-length headers, processing 1xx responses correctly, etc.) are now well-understood. Should we point it out explicitly in SC?

Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 23 April 2013 06:02:46 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC