On Tue, 19 Feb 2008 01:11:40 +0100, Jonas Sicking <[EMAIL PROTECTED]> wrote:
mike amundsen wrote:
I agree w/ Kris:
Limiting HTTP headers is a real problem. I see no reason for this.
Certainly not for security reasons.
How can you know that it is safe to send any header to any server? Note
that no access checks are done before sending GET requests, so allowing
any header there seems like it has great potential to have undesired
effects on servers.
What exactly are the scenarios we're thinking of? An HTTP header that
allows you to make a DELETE request through a GET request by having
something like:
X-Actual-Method: DELETE
Any others? (I agree that the above should probably be enough to only have
a whitelist for GET.)
Should we move the header restrictions to the Access Control
specification? An idea I had is that the cross-site access request
algorithm takes a list of author provided headers as argument and filters
those. For GET only a few would be allowed but for non-GET all would be
allowed but a few. Does that sound like a reasonable idea?
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
