- From: Charles McCathieNevile <chaals@opera.com>
- Date: Tue, 21 Oct 2008 12:27:26 +0200
- To: "Jonas Sicking" <jonas@sicking.cc>
- Cc: "WebApps WG" <public-webapps@w3.org>
On Mon, 20 Oct 2008 17:48:07 +0200, Jonas Sicking <jonas@sicking.cc> wrote:
> Charles McCathieNevile wrote:
...
>> http://dev.w3.org/cvsweb/~checkout~/2006/webapi/progress/Progress.html?rev=1.24
>> you will find a new draft of the progress events spec, for your
>> delectation...
>
> So the spec says that for HEAD requests the size should include the size
> of headers. I just realized that this might be a security issue.
Following discussion today, I will change the text to say head content
*should not* be calculated, for the reason Jonas gives.
cheers
Chaals
> The headers can include the users password, many times in clear text. If
> a site knows the size of the default headers for a given implementation,
> it can figure out the size of the users password by subtracting the
> default size from the size reported from the 'load' event from a HEAD
> request.
--
Charles McCathieNevile Opera Software, Standards Group
je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals Try Opera: http://www.opera.com
Received on Tuesday, 21 October 2008 10:27:58 UTC