- From: Daniel Veditz <dveditz@cruzio.com>
- Date: Mon, 15 Oct 2007 10:33:59 -0700
- To: "Web API WG (public)" <public-webapi@w3.org>
Section 1.2.1 seems to say that a conforming user agent SHOULD support the TRACE method since TRACE is one of the RFC 2616 5.1.1 methods. Instead the XHR spec should explicitly say that "a conforming user agent SHOULD NOT support the TRACE or TRACK methods". (TRACK is used by old versions of IIS) These two methods can be abused through XSS holes to recover HttpOnly cookies and Http Authentication details. Mozilla browsers do not and will not support these two methods. US-CERT has recommended servers disable TRACE support since 2003 because of this problem, but many did not get the message. http://www.kb.cert.org/vuls/id/867593 -Dan Veditz
Received on Tuesday, 16 October 2007 03:33:57 UTC