On 03/19/2012 04:35 AM, Julian Reschke wrote:
I'd like to point out that I still think my concerns over the inconsistent use of quoted-string (<http://www.ietf.org/mail-archive/web/websec/current/msg01044.html>) are valid and not addressed; and I think they should be before you go to IETF LC.
As a developer at a company which makes a product that makes security decisions based on parsing HTTP headers I find Julian's concerns, well, concerning.
While we don't currently operate on this specific header, ambiguities in how an application server will interpret minor variations on header values often become opportunities for an attacker to bypass security measures. For example, a "web application firewall" (WAF) may be configured to forbid certain values of a customer-specified header. When new headers don't follow consistent syntactic rules, it takes away a bit of the developer's ability to simply things for his customer.
Again, I'm not claiming to be an expert on this particular header and clearly it's a difficult issue with arguments for doing it both ways. But I would ask that everyone try their best to find the least-bad alternative with an emphasis on consistency with the rest of HTTP.
- Marsh _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
