Re: Proposal for a way to avoid a round-trip on every POST when dealing with large numbers of URIs

Jonas Sicking wrote:
> 
> Hi All,
> 
> So I have some feedback to this proposal. I think Hixie might have 
> missunderstood me and while I agreed to him publishing it, it's 
> definitely not _from_ me.
> 
> So there are a couple of pretty big security concerns that I have with 
> this proposal.
> 
> 1.
> It introduces ordering issues. Consider the following setup; A server 
> contains two resources, /dir/A and /dir/B, and returns the following 
> replies to OPTIONS requests:
> 
> /dir/
> Access-Control:allow <*> method POST
> Method-Check-Policy-Path: /dir/
> Method-Check-Max-Age:3600
> 
> /dir/A
> Access-Control:allow <*> method POST
> Method-Check-Policy-Path: /dir/
> Method-Check-Max-Age:3600
> 
> /dir/B
> Access-Control:deny <*> method POST
> Method-Check-Max-Age:3600
> 
> 
> If a UA now accesses resource A it would do OPTIONS requests to /dir/A 
> and then /dir/ and result in "allow <*> method POST" being cached as the 
> policy for all resources under /dir/.
> 
> If the UA then tries to do a POST to resource B this would be performed 
> without any OPTIONS requests. I.e. the POST to B would be successful.
> 
> However if the UA first tries to do a POST to resource B, the UA would 
> first do an OPTIONS request to /dir/B and then abort. I.e. the POST to B 
> would be unsuccessful.

Note that this isn't a problem with 'deny' rules. The exact same problem 
is there if OPTIONS requests to /dir/B doesn't return any AC headers at 
all. Just wanted the example to be more specific.

/ Jonas

Received on Wednesday, 6 February 2008 11:09:03 UTC