Changeset 2569

Timestamp:

23/01/14 09:31:59 (8 years ago)

Author:

fielding@…

Message:

(editorial) OWASP only provides useful additional info for web application semantics and authentication; see #520 and #549

Location:

draft-ietf-httpbis/latest

Files:

• p1-messaging.html (modified) (8 diffs)
• p1-messaging.xml (modified) (2 diffs)
• p2-semantics.html (modified) (1 diff)
• p2-semantics.xml (modified) (1 diff)
• p4-conditional.html (modified) (5 diffs)
• p4-conditional.xml (modified) (1 diff)
• p5-range.html (modified) (6 diffs)
• p5-range.xml (modified) (1 diff)
• p6-cache.html (modified) (6 diffs)
• p6-cache.xml (modified) (2 diffs)

draft-ietf-httpbis/latest/p1-messaging.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 26, 2014";
+       content: "Expires July 27, 2014";
   }
   @bottom-right {
@@ -490 +490 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
       <meta name="dct.replaces" content="urn:ietf:rfc:2145">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
@@ -519 +519 @@
             <tr>
                <td class="left">Intended status: Standards Track</td>
-               <td class="right">January 22, 2014</td>
+               <td class="right">January 23, 2014</td>
             </tr>
             <tr>
-               <td class="left">Expires: July 26, 2014</td>
+               <td class="left">Expires: July 27, 2014</td>
                <td class="right"></td>
             </tr>
@@ -551 +551 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 26, 2014.</p>
+         <p>This Internet-Draft will expire on July 27, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -2844 +2844 @@
       <div id="security.considerations">
          <h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
-         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1
-            message syntax, parsing, and routing.
-         </p>
-         <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
-            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
+         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security considerations relevant to
+            HTTP message syntax, parsing, and routing. Security considerations about HTTP semantics and payloads are addressed in <a href="#Part2" id="rfc.xref.Part2.32"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
          </p>
          <div id="dns.related.attacks">
@@ -2881 +2878 @@
                that most implementations will choose substantially higher limits.
             </p>
-            <p id="rfc.section.9.3.p.3">This specification also provides a way for servers to reject messages that have request-targets that are too long (<a href="p2-semantics.html#status.414" title="414 URI Too Long">Section 6.5.12</a> of <a href="#Part2" id="rfc.xref.Part2.32"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>) or request entities that are too large (<a href="p2-semantics.html#status.4xx" title="Client Error 4xx">Section 6.5</a> of <a href="#Part2" id="rfc.xref.Part2.33"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>). Additional status codes related to capacity limits have been defined by extensions to HTTP <a href="#RFC6585" id="rfc.xref.RFC6585.1"><cite title="Additional HTTP Status Codes">[RFC6585]</cite></a>.
+            <p id="rfc.section.9.3.p.3">This specification also provides a way for servers to reject messages that have request-targets that are too long (<a href="p2-semantics.html#status.414" title="414 URI Too Long">Section 6.5.12</a> of <a href="#Part2" id="rfc.xref.Part2.33"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>) or request entities that are too large (<a href="p2-semantics.html#status.4xx" title="Client Error 4xx">Section 6.5</a> of <a href="#Part2" id="rfc.xref.Part2.34"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>). Additional status codes related to capacity limits have been defined by extensions to HTTP <a href="#RFC6585" id="rfc.xref.RFC6585.1"><cite title="Additional HTTP Status Codes">[RFC6585]</cite></a>.
             </p>
             <p id="rfc.section.9.3.p.4">Recipients ought to carefully limit the extent to which they read other fields, including (but not limited to) request methods,
@@ -3646 +3643 @@
             </li>
             <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
-                  <li><em>Part2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.1">1</a>, <a href="#rfc.xref.Part2.2">2.1</a>, <a href="#rfc.xref.Part2.3">2.1</a>, <a href="#rfc.xref.Part2.4">2.7</a>, <a href="#rfc.xref.Part2.5">2.7.1</a>, <a href="#rfc.xref.Part2.6">3.1.1</a>, <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.8">3.1.2</a>, <a href="#rfc.xref.Part2.9">3.2</a>, <a href="#rfc.xref.Part2.10">3.2.1</a>, <a href="#rfc.xref.Part2.11">3.3</a>, <a href="#rfc.xref.Part2.12">3.3</a>, <a href="#rfc.xref.Part2.13">3.3</a>, <a href="#rfc.xref.Part2.14">3.3.1</a>, <a href="#rfc.xref.Part2.15">3.3.1</a>, <a href="#rfc.xref.Part2.16">3.3.2</a>, <a href="#rfc.xref.Part2.17">3.3.2</a>, <a href="#rfc.xref.Part2.18">3.3.2</a>, <a href="#rfc.xref.Part2.19">4.3</a>, <a href="#rfc.xref.Part2.20">5.1</a>, <a href="#rfc.xref.Part2.21">5.3</a>, <a href="#rfc.xref.Part2.22">5.3</a>, <a href="#rfc.xref.Part2.23">5.6</a>, <a href="#rfc.xref.Part2.24">5.7.2</a>, <a href="#rfc.xref.Part2.25">5.7.2</a>, <a href="#rfc.xref.Part2.26">6.3.1</a>, <a href="#rfc.xref.Part2.27">6.3.2</a>, <a href="#rfc.xref.Part2.28">6.3.2</a>, <a href="#rfc.xref.Part2.29">6.7</a>, <a href="#rfc.xref.Part2.30">6.7</a>, <a href="#rfc.xref.Part2.31">8.4.1</a>, <a href="#rfc.xref.Part2.32">9.3</a>, <a href="#rfc.xref.Part2.33">9.3</a>, <a href="#Part2"><b>11.1</b></a><ul>
+                  <li><em>Part2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.1">1</a>, <a href="#rfc.xref.Part2.2">2.1</a>, <a href="#rfc.xref.Part2.3">2.1</a>, <a href="#rfc.xref.Part2.4">2.7</a>, <a href="#rfc.xref.Part2.5">2.7.1</a>, <a href="#rfc.xref.Part2.6">3.1.1</a>, <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.8">3.1.2</a>, <a href="#rfc.xref.Part2.9">3.2</a>, <a href="#rfc.xref.Part2.10">3.2.1</a>, <a href="#rfc.xref.Part2.11">3.3</a>, <a href="#rfc.xref.Part2.12">3.3</a>, <a href="#rfc.xref.Part2.13">3.3</a>, <a href="#rfc.xref.Part2.14">3.3.1</a>, <a href="#rfc.xref.Part2.15">3.3.1</a>, <a href="#rfc.xref.Part2.16">3.3.2</a>, <a href="#rfc.xref.Part2.17">3.3.2</a>, <a href="#rfc.xref.Part2.18">3.3.2</a>, <a href="#rfc.xref.Part2.19">4.3</a>, <a href="#rfc.xref.Part2.20">5.1</a>, <a href="#rfc.xref.Part2.21">5.3</a>, <a href="#rfc.xref.Part2.22">5.3</a>, <a href="#rfc.xref.Part2.23">5.6</a>, <a href="#rfc.xref.Part2.24">5.7.2</a>, <a href="#rfc.xref.Part2.25">5.7.2</a>, <a href="#rfc.xref.Part2.26">6.3.1</a>, <a href="#rfc.xref.Part2.27">6.3.2</a>, <a href="#rfc.xref.Part2.28">6.3.2</a>, <a href="#rfc.xref.Part2.29">6.7</a>, <a href="#rfc.xref.Part2.30">6.7</a>, <a href="#rfc.xref.Part2.31">8.4.1</a>, <a href="#rfc.xref.Part2.32">9</a>, <a href="#rfc.xref.Part2.33">9.3</a>, <a href="#rfc.xref.Part2.34">9.3</a>, <a href="#Part2"><b>11.1</b></a><ul>
                         <li><em>Section 2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.4">2.7</a></li>
                         <li><em>Section 3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.16">3.3.2</a></li>
@@ -3664 +3661 @@
                         <li><em>Section 6.3.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.25">5.7.2</a></li>
                         <li><em>Section 6.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.30">6.7</a></li>
-                        <li><em>Section 6.5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.33">9.3</a></li>
-                        <li><em>Section 6.5.12</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.32">9.3</a></li>
+                        <li><em>Section 6.5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.34">9.3</a></li>
+                        <li><em>Section 6.5.12</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.33">9.3</a></li>
                         <li><em>Section 7.1.1.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.9">3.2</a></li>
                         <li><em>Section 8.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.10">3.2.1</a></li>

draft-ietf-httpbis/latest/p1-messaging.xml

@@ -51 +51 @@
   <!ENTITY qvalue                 "<xref target='Part2' x:rel='#quality.values' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
   <!ENTITY resource               "<xref target='Part2' x:rel='#resources' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
+  <!ENTITY semantics              "<xref target='Part2' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
   <!ENTITY status-codes           "<xref target='Part2' x:rel='#status.codes' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
   <!ENTITY status-1xx             "<xref target='Part2' x:rel='#status.1xx' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
@@ -3847 +3848 @@
 <t>
    This section is meant to inform developers, information providers, and
-   users of known security concerns relevant to HTTP/1.1 message syntax,
-   parsing, and routing.
-</t>
-<t>
-   The list of considerations below is not exhaustive &mdash; security
-   analysis in an ongoing activity. Various organizations, such as the 
-   "Open Web Application Security Project" (OWASP,
-   <eref target="https://www.owasp.org/"/>), provide information about current
-   research.
+   users of known security considerations relevant to HTTP message syntax,
+   parsing, and routing. Security considerations about HTTP semantics and
+   payloads are addressed in &semantics;.
 </t>
 

draft-ietf-httpbis/latest/p2-semantics.html

@@ -4137 +4137 @@
       <div id="security.considerations">
          <h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
-         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1
-            semantics and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and
-            routing are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
+         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP semantics
+            and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and routing
+            are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
          </p>
          <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive. Most security concerns related to HTTP semantics are about securing server-side

draft-ietf-httpbis/latest/p2-semantics.xml

@@ -4915 +4915 @@
 <t>
    This section is meant to inform developers, information providers, and
-   users of known security concerns relevant to HTTP/1.1 semantics and its
+   users of known security concerns relevant to HTTP semantics and its
    use for transferring information over the Internet. Considerations related
    to message syntax, parsing, and routing are discussed in

draft-ietf-httpbis/latest/p4-conditional.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 26, 2014";
+       content: "Expires July 27, 2014";
   }
   @bottom-right {
@@ -491 +491 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p4-conditional-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP/1.1 conditional requests, including metadata header fields for indicating state changes, request header fields for making preconditions on such state, and rules for constructing the responses to a conditional request when one or more preconditions evaluate to false.">
@@ -517 +517 @@
             </tr>
             <tr>
-               <td class="left">Expires: July 26, 2014</td>
-               <td class="right">January 22, 2014</td>
+               <td class="left">Expires: July 27, 2014</td>
+               <td class="right">January 23, 2014</td>
             </tr>
          </tbody>
@@ -546 +546 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 26, 2014.</p>
+         <p>This Internet-Draft will expire on July 27, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -1305 +1305 @@
       <div id="security.considerations">
          <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
-         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1
+         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP
             conditional request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
          </p>
-         <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
-            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
-         </p>
-         <p id="rfc.section.8.p.3">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
+         <p id="rfc.section.8.p.2">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
             changes, or detect man-in-the-middle attacks. At best, they enable more efficient cache updates and optimistic concurrent
             writes when all participants are behaving nicely. At worst, the conditions will fail and the client will receive a response
             that is no more harmful than an HTTP exchange without conditional requests.
          </p>
-         <p id="rfc.section.8.p.4">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
+         <p id="rfc.section.8.p.3">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
             invalid entity-tag that is unique to the user or user agent, send it in a cacheable response with a long freshness time, and
             then read that entity-tag in later conditional requests as a means of re-identifying that user or user agent. Such an identifying

draft-ietf-httpbis/latest/p4-conditional.xml

@@ -1230 +1230 @@
 <t>
    This section is meant to inform developers, information providers, and
-   users of known security concerns specific to the HTTP/1.1 conditional
+   users of known security concerns specific to the HTTP conditional
    request mechanisms. More general security considerations are addressed
    in HTTP messaging &messaging; and semantics &semantics;.
-</t>
-<t>
-   The list of considerations below is not exhaustive &mdash; security
-   analysis in an ongoing activity. Various organizations, such as the 
-   "Open Web Application Security Project" (OWASP,
-   <eref target="https://www.owasp.org/"/>), provide information about current
-   research.
 </t>
 <t>

draft-ietf-httpbis/latest/p5-range.html

@@ -448 +448 @@
   }
   @bottom-center {
-       content: "Expires July 23, 2014";
+       content: "Expires July 27, 2014";
   }
   @bottom-right {
@@ -491 +491 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-19">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines range requests and the rules for constructing and combining responses to those requests.">
@@ -517 +517 @@
             </tr>
             <tr>
-               <td class="left">Expires: July 23, 2014</td>
+               <td class="left">Expires: July 27, 2014</td>
                <td class="right">J. Reschke, Editor</td>
             </tr>
@@ -526 +526 @@
             <tr>
                <td class="left"></td>
-               <td class="right">January 19, 2014</td>
+               <td class="right">January 23, 2014</td>
             </tr>
          </tbody>
@@ -553 +553 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 23, 2014.</p>
+         <p>This Internet-Draft will expire on July 27, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -1166 +1166 @@
       <div id="security.considerations">
          <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
-         <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1
+         <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP
             range request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
-         </p>
-         <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
-            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
          </p>
          <div id="overlapping.ranges">

draft-ietf-httpbis/latest/p5-range.xml

@@ -1049 +1049 @@
 <t>
    This section is meant to inform developers, information providers, and
-   users of known security concerns specific to the HTTP/1.1 range
+   users of known security concerns specific to the HTTP range
    request mechanisms. More general security considerations are addressed
    in HTTP messaging &messaging; and semantics &semantics;.
-</t>
-<t>
-   The list of considerations below is not exhaustive &mdash; security
-   analysis in an ongoing activity. Various organizations, such as the 
-   "Open Web Application Security Project" (OWASP,
-   <eref target="https://www.owasp.org/"/>), provide information about current
-   research.
 </t>
 

draft-ietf-httpbis/latest/p6-cache.html

@@ -451 +451 @@
   }
   @bottom-center {
-       content: "Expires July 26, 2014";
+       content: "Expires July 27, 2014";
   }
   @bottom-right {
@@ -495 +495 @@
       <meta name="dct.creator" content="Reschke, J. F.">
       <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest">
-      <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
+      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
       <meta name="dct.replaces" content="urn:ietf:rfc:2616">
       <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.">
@@ -521 +521 @@
             </tr>
             <tr>
-               <td class="left">Expires: July 26, 2014</td>
+               <td class="left">Expires: July 27, 2014</td>
                <td class="right">J. Reschke, Editor</td>
             </tr>
@@ -530 +530 @@
             <tr>
                <td class="left"></td>
-               <td class="right">January 22, 2014</td>
+               <td class="right">January 23, 2014</td>
             </tr>
          </tbody>
@@ -557 +557 @@
             in progress”.
          </p>
-         <p>This Internet-Draft will expire on July 26, 2014.</p>
+         <p>This Internet-Draft will expire on July 27, 2014.</p>
       </div>
       <div id="rfc.copyrightnotice">
@@ -1921 +1921 @@
       <div id="security.considerations">
          <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
-         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1
-            caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
-         </p>
-         <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
-            as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
-         </p>
-         <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
+         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP caching.
+            More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
+         </p>
+         <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
             exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information
             long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected
             as sensitive information.
          </p>
-         <p id="rfc.section.8.p.4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
-            cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implmentation
-            flaws, elevated priviledges or other techniques to insert such a response into a cache. One common attack vector for cache
+         <p id="rfc.section.8.p.3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
+            cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implementation
+            flaws, elevated privileges, or other techniques to insert such a response into a cache. One common attack vector for cache
             poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements.
          </p>
-         <p id="rfc.section.8.p.5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
+         <p id="rfc.section.8.p.4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
             (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties.
          </p>
-         <p id="rfc.section.8.p.6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
+         <p id="rfc.section.8.p.5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
             one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it
             load more quickly, thanks to the cache.
          </p>
-         <p id="rfc.section.8.p.7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
+         <p id="rfc.section.8.p.6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
             requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control
             response header fields.

draft-ietf-httpbis/latest/p6-cache.xml

@@ -2145 +2145 @@
 <t>
    This section is meant to inform developers, information providers, and
-   users of known security concerns specific to HTTP/1.1 caching.
+   users of known security concerns specific to HTTP caching.
    More general security considerations are addressed in HTTP messaging
    &messaging; and semantics &semantics;.
-</t>
-<t>
-   The list of considerations below is not exhaustive &mdash; security
-   analysis in an ongoing activity. Various organizations, such as the 
-   "Open Web Application Security Project" (OWASP,
-   <eref target="https://www.owasp.org/"/>), provide information about current
-   research.
 </t>
 <t>
@@ -2168 +2161 @@
    shared cache; such "cache poisoning" attacks use the cache to distribute a
    malicious payload to many clients, and are especially effective when an
-   attacker can use implmentation flaws, elevated priviledges or other
+   attacker can use implementation flaws, elevated privileges, or other
    techniques to insert such a response into a cache. One common attack vector
    for cache poisoning is to exploit differences in message parsing on proxies