Ignore:
Timestamp:
Jan 19, 2013, 6:45:56 AM (7 years ago)
Author:
fielding@…
Message:

add a security consideration for entity-tag tracking

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p4-conditional.xml

    r2129 r2130  
    11071107   This section is meant to inform developers, information providers, and
    11081108   users of known security concerns specific to the HTTP/1.1 conditional
    1109    request mechanisms. No additional security considerations have been
    1110    identified beyond those applicable to HTTP messaging &messaging; and
    1111    semantics &semantics;.
     1109   request mechanisms. More general security considerations are addressed
     1110   in HTTP messaging &messaging; and semantics &semantics;.
    11121111</t>
    11131112<t>
     
    11191118   response that is no more harmful than an HTTP exchange without conditional
    11201119   requests.
     1120</t>
     1121<t>
     1122   An entity-tag can be abused in ways that create privacy risks. For example,
     1123   a site might deliberately construct a semantically invalid entity-tag that
     1124   is unique to the user or user agent, send it in a cacheable response with a
     1125   long freshness time, and then read that entity-tag in later conditional
     1126   requests as a means of re-identifying that user or user agent. Such an
     1127   identifying tag would become a persistent identifier for as long as the
     1128   user agent retained the original cache entry. User agents that cache
     1129   representations ought to ensure that the cache is cleared or replaced
     1130   whenever the user performs privacy-maintaining actions, such as clearing
     1131   stored cookies or changing to a private browsing mode.
    11211132</t>
    11221133</section>
Note: See TracChangeset for help on using the changeset viewer.