On 3/21/2012 2:59 PM, Mark Montague wrote: > On March 21, 2012 15:33 , "Roy T. Fielding" <field...@gbiv.com> wrote: >> TRACE won't work at all if the most popular end-point doesn't support it. > > Why would this be a bad thing? Or, to phrase it another way, what are the > situations in > which it is desirable that TRACE be already-enabled on a web server as > opposed to having > the owner of the web server enable the TRACE method in response to a specific > debugging need?
Because, if you do NOT own the end-point, but are trying to debug a fault in a proxy which you DO own, then the lack of support in the upstream proxies or origin server leave you no ability to perform this diagnostic. The output was never intended for unfiltered display. IIS provided for the TRACE results to be emitted to the browser with no consideration to cross-site scripting implications. There WAS a browser bug, but never an actual flaw with the protocol or Apache implementation. Most of the security reports and scanner output mischaracterizes the original defect.