Sorry to be blunt, but shouldn't these sites be securing themselves?
Having Squid strip this header hardly closes any significant attack
vectors off... and doing so creates yet another special case for
people to work around.
-1 on Translate (default strip; registering it, I suppose, although
it's a vendor-specific extension header that they haven't bothered to
register; I'd rather the focus be on those headers that people have
actually tried to do the right thing for -- especially when they have
*not* said they'll license patents for this specification).
WRT Unless-Modified-Since -- IIRC this is a very old, pre-2068 version
of If-Range. /me looks around...
see:
http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15847a-s96/web/draft-luotonen-http-url-byterange-02.txt
What's the issue with it? Amusingly, MSFT thinks it's a response header:
http://msdn.microsoft.com/en-us/library/aa917918.aspx
On 18/05/2009, at 9:05 PM, Amos Jeffries wrote:
Both of these are non-standard headers created by microsoft.
These are both weird ones. We seem to need them, but only because
they need to be stripped away in certain circumstances.
The Translate: header is the trickiest. After reading the docs it
appears we should be always stripping it away for security. It's
entire purpose is to perform code disclosure 'attacks' on targeted
dynamic sites. With perhapse a fast-ACL to allow admins to use it
and control the requests using it when they really need to.
Pending any objections I'll add as registered headers in 3.0 and the
above handling for Translate in 3.1.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
Current Beta Squid 3.1.0.7
--
Mark Nottingham m...@yahoo-inc.com
