Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Date: Tue Nov 05 2002 - 23:16:33 CST
On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <WeimerCERT.Uni-Stuttgart.DE> said:
> What about HTTP headers which advise user agents to disable some
> features, e.g. read/write access to the document or parts of it via
> scripting or other Internet Explorer interfaces?
> Is anybody interested in writing an Informational RFC on this topic?
It's one thing for a web browser to refuse to do something because it suspects
that it has been asked something underhanded (for instance, to not give a
cookie value to a script if it were tagged 'httponly').
It's something else for a server to try to restrict user agents that way.
A well-behaved user agent won't need the hints, and a malicious one won't
listen to them....
(Note - I'm talking here about a server trying to say "Thou Shalt Not Do
XYZ" and expecting to be listened to - if anything, this is a big clue to
the attacker that they should look for a way to try to do XYZ anyhow. That
never works. On the other hand, there are *lots* of areas where *HINTS*
(like the HTTP 'Expires' header) are quite valuable...
Remember - we've seen enough Bugtraq postings about people who try to use
hidden fields in an HTML document for security, and get it wrong...
-- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001
iD8DBQE9yKWxcC3lWbTT17ARAvDLAJ9puA6B6Hy6aY4GWG0L7bh1f82rlwCfXdH+ rEafNJEUj1zjyi6CYL/k0dw= =ntTY -----END PGP SIGNATURE-----