On 10/17/12 3:36 AM, Jungkee Song wrote:
But my concern was even if browser acts as such, intermediary caches would still return forged content in its cache rather than trying to make a fresh request to origin server. That is, authors would expect that they are free from cache poisoning threat based off of the spec, but it might not be true when caching proxy is involved. Unless server itself actually puts "Vary: User-Agent" in the response, we cannot entirely avoid the cache poisoning scenario.
That's true. And while such a caching proxy would, once again, be broken on real-world content, that doesn't help the security situation.
Does sanitizing the UA value to exclude certain chars (most particularly, '<' and company) help enough here?
-Boris
