Well, reviewing Nessus reports this week has left me *very* pissed off. Has anyone assembled a list of all of the various client browser identifiers that are too moronic to handle a TRACE request properly?
It seems the rational thing to do is trip those browsers which can't handle a simple trace request and prevent THEM from invoking TRACE. Problem solved. Well, not quite. My real solution can't be published till April 1 2006 thought :) Wish I thought of it two months ago :)
