- From: Larry Masinter <LMM@acm.org>
- Date: Sat, 9 Jun 2001 21:55:43 -0700
- To: "Henrik Frystyk Nielsen" <henrikn@microsoft.com>, "Simon Fell" <soap@zaks.demon.co.uk>, <xml-dist-app@w3.org>, <xmlp-comments@w3.org>
> - I would be interested in hearing what you think about that > > http://lists.w3.org/Archives/Public/xml-dist-app/2001May/0053.html > I don't see how this has fixed the problem, though: # The presence and content of the SOAPAction header field MAY be used by # servers such as firewalls to appropriately filter SOAP HTTP request # messages and it may be used by servers to facilitate dispatching of SOAP # messages to internal message handlers etc. It SHOULD NOT be used as an # insecure form of access authorization. * Exactly how is it that a firewall might use a SOAPAction header to "appropriately" filter SOAP HTTP request messages? As far as I can tell, there's not enough information to decide which requests with which SOAP action headers the firewall should accept, and which it should reject, or even what a firewall that rejects such a message should signal its rejection. Treat it as an attack? The main purpose of firewall filtering is to prevent unwanted or malicious traffic, but there's no reason to believe that malicious SOAP messages would contain a correct SOAPAction header. So I don't think the first application "appropriate filter SOAP HTTP request methods" has been reasonably justified, at least in this fragment of text. * The second application for SOAPAction headers given is that it "may be used by servers to facilitate dispatching", but the only way that a server might use a SOAPAction header would be if there were some specification of which kind of SOAPAction headers should be dispatched and which should not, and where they should be dispatched. Is the SOAPAction header like another kind of RequestURI? So I think this attempted clarification does nothing to respond to the criticism that the value of the SOAPAction header is not specified well enough for it to be used for its stated purposes. Larry -- http://larry.masinter.net
Received on Sunday, 10 June 2001 00:57:04 UTC