Ignore:
Timestamp:
30/12/12 09:19:07 (8 years ago)
Author:
fielding@…
Message:

(editorial) move p1 security considerations regarding semantics to p2

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r2069 r2070  
    46514651</t>
    46524652
     4653<section title="Personal Information" anchor="personal.information">
     4654<t>
     4655   HTTP clients are often privy to large amounts of personal information,
     4656   including both information provided by the user to interact with resources
     4657   (e.g., the user's name, location, mail address, passwords, encryption
     4658   keys, etc.) and information about the user's browsing activity over
     4659   time (e.g., history, bookmarks, etc.). HTTP implementations need to
     4660   prevent unintentional leakage of this information.
     4661</t>
     4662</section>
     4663
     4664<section title="Attacks Based On File and Path Names" anchor="attack.pathname">
     4665<t>
     4666   Origin servers &SHOULD; be careful to restrict
     4667   the documents sent in response to HTTP requests to be only those that were
     4668   intended by the server administrators. If an HTTP server translates
     4669   HTTP URIs directly into file system calls, the server &MUST; take
     4670   special care not to serve files that were not intended to be
     4671   delivered to HTTP clients. For example, UNIX, Microsoft Windows, and
     4672   other operating systems use ".." as a path component to indicate a
     4673   directory level above the current one. On such a system, an HTTP
     4674   server &MUST; disallow any such construct in the request-target if it
     4675   would otherwise allow access to a resource outside those intended to
     4676   be accessible via the HTTP server. Similarly, files intended for
     4677   reference only internally to the server (such as access control
     4678   files, configuration files, and script code) &MUST; be protected from
     4679   inappropriate retrieval, since they might contain sensitive
     4680   information.
     4681</t>
     4682</section>
     4683
    46534684<section title="Transfer of Sensitive Information" anchor="security.sensitive">
    46544685<t>
     
    47594790</section>
    47604791
    4761 <section title="Security Considerations for CONNECT">
     4792<section title="Misuse of CONNECT">
    47624793<t>
    47634794   Since tunneled data is opaque to the proxy, there are additional
Note: See TracChangeset for help on using the changeset viewer.