W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: consensus on :query ?

From: Willy Tarreau <w@1wt.eu>
Date: Mon, 21 Jul 2014 07:46:22 +0200
To: Roberto Peon <grmocg@gmail.com>
Cc: Poul-Henning Kamp <phk@phk.freebsd.dk>, Phil Hunt <phil.hunt@oracle.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20140721054622.GL21834@1wt.eu>
Hi Roberto,

On Sun, Jul 20, 2014 at 06:33:01PM -0700, Roberto Peon wrote:
> One doesn't have to guess path + query, one only guess the query.
> In some scenarios, this enhances the attacker's ability to probe.
> The question is, does it do so enough for us to care.

I don't see why it would be a trouble since the path is generally
well known and could be considered constant. It will be retrieved
from a link on a page, a location header, or will just be "/" or
something like this.

Willy
Received on Monday, 21 July 2014 05:50:03 UTC

This archive was generated by hypermail 2.3.1 : Monday, 18 November 2019 18:02:00 UTC