On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <WeimerCERT.Uni-Stuttgart.DE> said:

> What about HTTP headers which advise user agents to disable some
> features, e.g. read/write access to the document or parts of it via
> scripting or other Internet Explorer interfaces?
>
> Is anybody interested in writing an Informational RFC on this topic?

Pointless.

It's one thing for a web browser to refuse to do something because it suspects
that it has been asked something underhanded (for instance, to not give a
cookie value to a script if it were tagged 'httponly').

It's something else for a server to try to restrict user agents that way.
A well-behaved user agent won't need the hints, and a malicious one won't
listen to them....

(Note - I'm talking here about a server trying to say "Thou Shalt Not Do
XYZ" and expecting to be listened to - if anything, this is a big clue to
the attacker that they should look for a way to try to do XYZ anyhow. That
never works. On the other hand, there are *lots* of areas where *HINTS*
(like the HTTP 'Expires' header) are quite valuable...

Remember - we've seen enough Bugtraq postings about people who try to use
hidden fields in an HTML document for security, and get it wrong...

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Exmh version 2.5 07/13/2001

iD8DBQE9yKWxcC3lWbTT17ARAvDLAJ9puA6B6Hy6aY4GWG0L7bh1f82rlwCfXdH+ rEafNJEUj1zjyi6CYL/k0dw= =ntTY -----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]