On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE> said: > What about HTTP headers which advise user agents to disable some > features, e.g. read/write access to the document or parts of it via > scripting or other Internet Explorer interfaces? > > Is anybody interested in writing an Informational RFC on this topic? Pointless. It's one thing for a web browser to refuse to do something because it suspects that it has been asked something underhanded (for instance, to not give a cookie value to a script if it were tagged 'httponly'). It's something else for a server to try to restrict user agents that way. A well-behaved user agent won't need the hints, and a malicious one won't listen to them.... (Note - I'm talking here about a server trying to say "Thou Shalt Not Do XYZ" and expecting to be listened to - if anything, this is a big clue to the attacker that they should look for a way to try to do XYZ anyhow. That never works. On the other hand, there are *lots* of areas where *HINTS* (like the HTTP 'Expires' header) are quite valuable... Remember - we've seen enough Bugtraq postings about people who try to use hidden fields in an HTML document for security, and get it wrong... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Attachment:
pgp00232.pgp
Description: PGP signature
