Closed mnot closed 3 years ago
semantics
unassigned
@mnot changed version to 00-draft
fielding@gbiv.com commented:
That security advisory is a load of festering smelly bits. It depends on a known security issue on a known hole-filled browser and its related error-prone configuration option. The obvious solution (from a protocol perspective) is to avoid sending arbitrary private browser information in arbitrary methods executed by arbitrary javascript. That has nothing to do with TRACE.
XSS should be discussed in the security considerations.
ylafon@w3.org commented:
Proposal Add in the Security Considerations, in the "Transfer of Sensitive Information" section the following text:
Some methods, like TRACE ( ) may expose information sent in request headers in the response entity. Clients &SHOULD; be careful with sensitive information, like Cookies, Authorization credentials and other headers that might be used to collect data from the Client.
normal
Active WG Document
design
to editorial
There is an HTTP-related security violation approach found/researched by White Hat Security:
Reported by @mnot, migrated from https://trac.ietf.org/trac/httpbis/ticket/33