Thanks for this note. According to the abstract the advertising is intended for "request headers for proactive content negotiation" (Accept-*), which should exclude all other types of header. I looked at the Security Considerations and wrote to the author with the suggestion to note that implementations must be careful not to advertise any other names, e.g. the names of headers intended to be set by the proxy for use by a web server.
Vladimir On 31/10/2019 15:13, Salz, Rich wrote: > > How about requiring reverse proxies to automatically scrub all inbound > HTTP headers that start with "Sec-"? > > https://tools.ietf.org/html/draft-ietf-httpbis-client-hints-07 > > > > Making a header value “secret” will not protect anything. >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
