- From: Ruben Verborgh <notifications@github.com>
- Date: Tue, 29 Jan 2019 04:22:57 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 29 January 2019 12:23:19 UTC
> The rationale is that the more attacker controlled bytes there are the easier it is to determine things about the resource @annevk But is that really so? At first, I intuitively agreed, because "more space" seems equal to "more space to do bad things". But after further reflection, I'm not so sure. It begs several questions: 1. **Is space indeed an enabler for bad things?** (As opposed to, let's say, bad escaping, which might also lead to trouble with smaller payloads.) 2. If it is, **how does the mitigation mechanism address protect against large headers?** It seems at the moment the rationale is broken. The current reasoning seems to be: - A large header section is dangerous. - So let's require the server to allow specific headers. - Server's intended result: the client can send a specific header. - Actual result: the client can send an arbitrarily large header section. So the protection mechanism "sure, I allow header X" does not seem to protect against large headers at all, which I read above is what it is supposed to do (and I doubt that necessity). Why not an "allowed header length" then? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/862#issuecomment-458520584
Received on Tuesday, 29 January 2019 12:23:19 UTC