- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 19 Feb 2008 09:04:33 +0100
- To: "Jonas Sicking" <jonas@sicking.cc>, "mike amundsen" <mca@amundsen.com>, "WAF WG (public)" <public-appformats@w3.org>
On Tue, 19 Feb 2008 01:11:40 +0100, Jonas Sicking <jonas@sicking.cc> wrote: > mike amundsen wrote: >> I agree w/ Kris: >> Limiting HTTP headers is a real problem. I see no reason for this. >> Certainly not for security reasons. > > How can you know that it is safe to send any header to any server? Note > that no access checks are done before sending GET requests, so allowing > any header there seems like it has great potential to have undesired > effects on servers. What exactly are the scenarios we're thinking of? An HTTP header that allows you to make a DELETE request through a GET request by having something like: X-Actual-Method: DELETE Any others? (I agree that the above should probably be enough to only have a whitelist for GET.) Should we move the header restrictions to the Access Control specification? An idea I had is that the cross-site access request algorithm takes a list of author provided headers as argument and filters those. For GET only a few would be allowed but for non-GET all would be allowed but a few. Does that sound like a reasonable idea? -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 19 February 2008 08:00:17 UTC