Ian Hickson schrieb:
On Thu, 8 Jun 2006, Charles McCathieNevile wrote:
Please be more specific. POST today allows *anything*.
Well, POST allows you to send anything. DELETE and PUT actually have
semantics that make them much more dangerous (and much more useful, if
you're building very simple publishing systems).
Just to be clear: from a security standpoint, none of those are a problem.
They all just affect the target host. There are FAR more dangerous
methods, for example CONNECT. The risk is not that the first-party server
might be attacked, since the first-party server is the only server we
_don't_ care about attacking. The risks are for things _other_ than the
first-party server. For example, a proxy server.
...
Speaking of which, if this is a security problem: why hasn't it been
fixed in Firefox 1.5 and/or IE 6SP2? Both seem to happily send CONNECT
requests when asked for.
Best regards, Julian
