Maciej Stachowiak wrote on 2/9/2010 4:13 AM:
HTTPbis should address this threat in the security considerations
section, and should strongly consider making it a MUST-level
requirement for servers to check that the Host header is a host they
serve. If HTTP had that requirement and all servers
On Tue, Feb 9, 2010 at 2:50 PM, Maciej Stachowiak m...@apple.com wrote:
A sever can generally determine the domain name of the host it is running on
from the operating system, if it wants to run with zero configuration. That
is apparently what Apache does:
Aryeh Gregor wrote on 2/10/2010 3:21 PM:
On Wed, Feb 10, 2010 at 4:37 AM, Bil Corry b...@corry.biz wrote:
Another threat is an attacker crafting a malicious payload in the Host
header, hoping that it gets logged then viewed via a web browser.
That's just straight XSS.
I left it open-ended
On 8 Feb 2010, at 17:50, Anne van Kesteren wrote:
- Somewhat detailed considerations around CONNECT, TRACE, and TRACK
(flagged in the text of the specification, but not called out in the
security section; 4.6.1).
What is the reason for duplicating this information?
It will be useful
On Feb 8, 2010, at 9:01 AM, Julian Reschke wrote:
Anne van Kesteren wrote:
- Considerations around DNS rebinding.
Why would these be specific to XMLHttpRequest?
These indeed apply to just about any specification that uses a same-origin
policy. But that's not a justification for
On Tue, 09 Feb 2010 12:13:49 +0100, Thomas Roessler t...@w3.org wrote:
On 8 Feb 2010, at 17:50, Anne van Kesteren wrote:
Well, I didn't mean it literally, but that's what it would come down
to, no?
Again, please explain within the spec what the security reasons are for
this specific
On 9 Feb 2010, at 14:30, Anne van Kesteren wrote:
Again, please explain within the spec what the security reasons are for this
specific profile of HTTP. It'll help people understand the spec a few years
down the road.
I'm not an expert on the reasons so I'd prefer not to. I believe I
On Tue, Feb 9, 2010 at 7:13 AM, Maciej Stachowiak m...@apple.com wrote:
HTTPbis should address this threat in the security considerations section,
and should strongly consider making it a MUST-level requirement for servers
to check that the Host header is a host they serve. If HTTP had that
On Feb 9, 2010, at 11:46 AM, Aryeh Gregor wrote:
On Tue, Feb 9, 2010 at 7:13 AM, Maciej Stachowiak m...@apple.com wrote:
HTTPbis should address this threat in the security considerations section,
and should strongly consider making it a MUST-level requirement for servers
to check that the
On Thu, 04 Feb 2010 17:22:16 +0100, Thomas Roessler t...@w3.org wrote:
On 31 Jan 2010, at 14:23, Anne van Kesteren wrote:
On Tue, 19 Jan 2010 08:01:12 +0100, Thomas Roessler t...@w3.org wrote:
With apologies for the belated Last Call comment -- the XMLHttpRequest
specification
Anne van Kesteren wrote:
- Considerations around DNS rebinding.
Why would these be specific to XMLHttpRequest?
These indeed apply to just about any specification that uses a
same-origin policy. But that's not a justification for ignoring them
here. DNS rebinding has been both obvious and
On Mon, 08 Feb 2010 18:01:18 +0100, Julian Reschke julian.resc...@gmx.de
wrote:
Is re-binding == spoofing? Does
http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.15.3 help,
or does nit need to be updated (Thomas; HTTPbis will gladly accept your
input ;-).
As far as I can tell DNS
On 31 Jan 2010, at 14:23, Anne van Kesteren wrote:
On Tue, 19 Jan 2010 08:01:12 +0100, Thomas Roessler t...@w3.org wrote:
With apologies for the belated Last Call comment -- the XMLHttpRequest
specification
http://www.w3.org/TR/XMLHttpRequest/
... doesn't have meaningful security
On Tue, 19 Jan 2010 08:01:12 +0100, Thomas Roessler t...@w3.org wrote:
With apologies for the belated Last Call comment -- the XMLHttpRequest
specification
http://www.w3.org/TR/XMLHttpRequest/
... doesn't have meaningful security considerations.
I actually removed that section altogether
14 matches
Mail list logo