Re: [RFC] Translate and Unless-Modified-Since headers

From: Kinkie <gkinkie_at_gmail.com>
Date: Mon, 18 May 2009 13:40:05 +0200

On Mon, May 18, 2009 at 1:05 PM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> Both of these are non-standard headers created by microsoft.
>
> These are both weird ones. We seem to need them, but only because they need
> to be stripped away in certain circumstances.
>
> The Translate: header is the trickiest. After reading the docs it appears we
> should be always stripping it away for security. It's entire purpose is to
> perform code disclosure 'attacks' on targeted dynamic sites. With perhapse a
> fast-ACL to allow admins to use it and control the requests using it when
> they really need to.
>
> Pending any objections I'll add as registered headers in 3.0 and the above
> handling for Translate in 3.1.

Do you have any reference document to point me to?

+1 to registering them, but I'd like to understand a bit more before
default-stripping.

-- 
    /kinkie
Received on Mon May 18 2009 - 11:40:16 MDT

This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT