- From: Jonas Sicking <jonas@sicking.cc>
- Date: Tue, 26 Feb 2008 03:54:28 -0800
- To: mike amundsen <mca@amundsen.com>
- Cc: Anne van Kesteren <annevk@opera.com>, John Panzer <jpanzer@acm.org>, "WAF WG (public)" <public-appformats@w3.org>
mike amundsen wrote: > I propose the following HTTP Headers be added to the white list: > > Accept > Accept-Language > Accept-Ranges > Age > Allow > Cache-Control > Content-Disposition > Content-Language > Content-Location > Content-MD5 > Content-Range > Content-Type > ETag > Expect > Expires > From > If-Match > If-Modified-Since > If-None-Match > If-Range > If-Unmodified-Since > Last-Modified > Location > Max-Forwards > Pragma > Range > Refresh > Retry-After > Server > Transfer-Encoding > User-Agent > Vary > Warning So first off this whitelist only matters for GET requests. So headers that doesn't make sense for GET I don't see a reason to allow, that especially includes request headers. I'm wondering what you based this list on, and why you think that these headers are all going to be safe? For example Content-MD5 (apart from the fact that it doesn't make sense for GET requests) seems dangerous if the server relies on it being truthful. / Jonas / Jonas
Received on Tuesday, 26 February 2008 11:55:02 UTC