- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Fri, 09 Jun 2006 09:43:05 +0200
- To: Ian Hickson <ian@hixie.ch>
- CC: Charles McCathieNevile <chaals@opera.com>, Mark Nottingham <mnot@yahoo-inc.com>, "Web APIs WG (public)" <public-webapi@w3.org>
Ian Hickson schrieb: > On Thu, 8 Jun 2006, Charles McCathieNevile wrote: >>> Please be more specific. POST today allows *anything*. >> Well, POST allows you to send anything. DELETE and PUT actually have >> semantics that make them much more dangerous (and much more useful, if >> you're building very simple publishing systems). > > Just to be clear: from a security standpoint, none of those are a problem. > They all just affect the target host. There are FAR more dangerous > methods, for example CONNECT. The risk is not that the first-party server > might be attacked, since the first-party server is the only server we > _don't_ care about attacking. The risks are for things _other_ than the > first-party server. For example, a proxy server. > ... Speaking of which, if this is a security problem: why hasn't it been fixed in Firefox 1.5 and/or IE 6SP2? Both seem to happily send CONNECT requests when asked for. Best regards, Julian
Received on Friday, 9 June 2006 07:43:13 UTC