- From: mike amundsen <mca@amundsen.com>
- Date: Mon, 18 Feb 2008 22:16:54 -0500
- To: "John Panzer" <jpanzer@acm.org>
- Cc: "Jonas Sicking" <jonas@sicking.cc>, "WAF WG (public)" <public-appformats@w3.org>
John: Yes. For example, HTTP Headers such as If-Match, If-None-Match, and If-Umodified-Since are important for update methods like PUT, POST, and DELETE. I would *assume* that server will also be doing standard Auth-n/z on GET/HEAD as well. The additional task that servers take on of sorting out CSR auth(n/z) will not change that, right? MikeA On Feb 18, 2008 10:06 PM, John Panzer <jpanzer@acm.org> wrote: > > Jonas Sicking wrote: > > > > mike amundsen wrote: > >> I agree w/ Kris: > >> > >> Limiting HTTP headers is a real problem. I see no reason for this. > >> Certainly not for security reasons. > > > > How can you know that it is safe to send any header to any server? > > Note that no access checks are done before sending GET requests, so > > allowing any header there seems like it has great potential to have > > undesired effects on servers. > > > Note that modifying operations (POST, DELETE, etc.) do have an access > check performed before execution. If nothing else is changed, could the > spec be modified so that it allowed all headers for such operations? > > > > -- mca http://amundsen.com/blog/
Received on Tuesday, 19 February 2008 03:17:02 UTC