On Mon, 15 Oct 2007 19:33:59 +0200, Daniel Veditz <[EMAIL PROTECTED]>
wrote:
Section 1.2.1 seems to say that a conforming user agent SHOULD support
the TRACE method since TRACE is one of the RFC 2616 5.1.1 methods.
Instead the XHR spec should explicitly say that "a conforming user agent
SHOULD NOT
support the TRACE or TRACK methods". (TRACK is used by old versions of
IIS)
These two methods can be abused through XSS holes to recover HttpOnly
cookies and Http Authentication details. Mozilla browsers do not and will
not support these two methods. US-CERT has recommended servers disable
TRACE support since 2003 because of this problem, but many did not get
the message. http://www.kb.cert.org/vuls/id/867593
CONNECT is also a security issue. The SHOULD-level requirement is about
supporting arbitrary HTTP methods, not TRACE, CONNECT, and apparently
TRACK, specifically. The open() algorithm allows user agents to throw a
SECURITY_ERR exception for methods with security implications though it
doesn't call the known ones out explicitly. It probably should.
How to deal with HTTP methods is a bit unclear at the moment. Generally
speaking Firefox supports arbitrary HTTP methods though it uses some
case-insensitive hash table which violates HTTP. Internet Explorer 7
doesn't support them, uses a whitelist, and throws an exception for
unknown methods. Opera doesn't either, and uses GET requests for unknown
methods.
--
Anne van Kesteren
<http://annevankesteren.nl/>
<http://www.opera.com/>
