- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 16 Oct 2007 12:13:19 +0200
- To: "Daniel Veditz" <dveditz@cruzio.com>, "Web API WG (public)" <public-webapi@w3.org>
On Mon, 15 Oct 2007 19:33:59 +0200, Daniel Veditz <dveditz@cruzio.com> wrote: > Section 1.2.1 seems to say that a conforming user agent SHOULD support > the TRACE method since TRACE is one of the RFC 2616 5.1.1 methods. > Instead the XHR spec should explicitly say that "a conforming user agent > SHOULD NOT > support the TRACE or TRACK methods". (TRACK is used by old versions of > IIS) > > These two methods can be abused through XSS holes to recover HttpOnly > cookies and Http Authentication details. Mozilla browsers do not and will > not support these two methods. US-CERT has recommended servers disable > TRACE support since 2003 because of this problem, but many did not get > the message. http://www.kb.cert.org/vuls/id/867593 CONNECT is also a security issue. The SHOULD-level requirement is about supporting arbitrary HTTP methods, not TRACE, CONNECT, and apparently TRACK, specifically. The open() algorithm allows user agents to throw a SECURITY_ERR exception for methods with security implications though it doesn't call the known ones out explicitly. It probably should. How to deal with HTTP methods is a bit unclear at the moment. Generally speaking Firefox supports arbitrary HTTP methods though it uses some case-insensitive hash table which violates HTTP. Internet Explorer 7 doesn't support them, uses a whitelist, and throws an exception for unknown methods. Opera doesn't either, and uses GET requests for unknown methods. -- Anne van Kesteren <http://annevankesteren.nl/> <http://www.opera.com/>
Received on Tuesday, 16 October 2007 10:13:31 UTC