Changeset 2569
- Timestamp:
- 23/01/14 09:31:59 (9 years ago)
- Location:
- draft-ietf-httpbis/latest
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
draft-ietf-httpbis/latest/p1-messaging.html
r2566 r2569 448 448 } 449 449 @bottom-center { 450 content: "Expires July 2 6, 2014";450 content: "Expires July 27, 2014"; 451 451 } 452 452 @bottom-right { … … 490 490 <meta name="dct.creator" content="Reschke, J. F."> 491 491 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest"> 492 <meta name="dct.issued" scheme="ISO8601" content="2014-01-2 2">492 <meta name="dct.issued" scheme="ISO8601" content="2014-01-23"> 493 493 <meta name="dct.replaces" content="urn:ietf:rfc:2145"> 494 494 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> … … 519 519 <tr> 520 520 <td class="left">Intended status: Standards Track</td> 521 <td class="right">January 2 2, 2014</td>521 <td class="right">January 23, 2014</td> 522 522 </tr> 523 523 <tr> 524 <td class="left">Expires: July 2 6, 2014</td>524 <td class="left">Expires: July 27, 2014</td> 525 525 <td class="right"></td> 526 526 </tr> … … 551 551 in progress”. 552 552 </p> 553 <p>This Internet-Draft will expire on July 2 6, 2014.</p>553 <p>This Internet-Draft will expire on July 27, 2014.</p> 554 554 </div> 555 555 <div id="rfc.copyrightnotice"> … … 2844 2844 <div id="security.considerations"> 2845 2845 <h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a> <a href="#security.considerations">Security Considerations</a></h1> 2846 <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1 2847 message syntax, parsing, and routing. 2848 </p> 2849 <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 2850 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 2846 <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security considerations relevant to 2847 HTTP message syntax, parsing, and routing. Security considerations about HTTP semantics and payloads are addressed in <a href="#Part2" id="rfc.xref.Part2.32"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 2851 2848 </p> 2852 2849 <div id="dns.related.attacks"> … … 2881 2878 that most implementations will choose substantially higher limits. 2882 2879 </p> 2883 <p id="rfc.section.9.3.p.3">This specification also provides a way for servers to reject messages that have request-targets that are too long (<a href="p2-semantics.html#status.414" title="414 URI Too Long">Section 6.5.12</a> of <a href="#Part2" id="rfc.xref.Part2.3 2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>) or request entities that are too large (<a href="p2-semantics.html#status.4xx" title="Client Error 4xx">Section 6.5</a> of <a href="#Part2" id="rfc.xref.Part2.33"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>). Additional status codes related to capacity limits have been defined by extensions to HTTP <a href="#RFC6585" id="rfc.xref.RFC6585.1"><cite title="Additional HTTP Status Codes">[RFC6585]</cite></a>.2880 <p id="rfc.section.9.3.p.3">This specification also provides a way for servers to reject messages that have request-targets that are too long (<a href="p2-semantics.html#status.414" title="414 URI Too Long">Section 6.5.12</a> of <a href="#Part2" id="rfc.xref.Part2.33"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>) or request entities that are too large (<a href="p2-semantics.html#status.4xx" title="Client Error 4xx">Section 6.5</a> of <a href="#Part2" id="rfc.xref.Part2.34"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>). Additional status codes related to capacity limits have been defined by extensions to HTTP <a href="#RFC6585" id="rfc.xref.RFC6585.1"><cite title="Additional HTTP Status Codes">[RFC6585]</cite></a>. 2884 2881 </p> 2885 2882 <p id="rfc.section.9.3.p.4">Recipients ought to carefully limit the extent to which they read other fields, including (but not limited to) request methods, … … 3646 3643 </li> 3647 3644 <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul> 3648 <li><em>Part2</em> <a href="#rfc.xref.Part2.1">1</a>, <a href="#rfc.xref.Part2.2">2.1</a>, <a href="#rfc.xref.Part2.3">2.1</a>, <a href="#rfc.xref.Part2.4">2.7</a>, <a href="#rfc.xref.Part2.5">2.7.1</a>, <a href="#rfc.xref.Part2.6">3.1.1</a>, <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.8">3.1.2</a>, <a href="#rfc.xref.Part2.9">3.2</a>, <a href="#rfc.xref.Part2.10">3.2.1</a>, <a href="#rfc.xref.Part2.11">3.3</a>, <a href="#rfc.xref.Part2.12">3.3</a>, <a href="#rfc.xref.Part2.13">3.3</a>, <a href="#rfc.xref.Part2.14">3.3.1</a>, <a href="#rfc.xref.Part2.15">3.3.1</a>, <a href="#rfc.xref.Part2.16">3.3.2</a>, <a href="#rfc.xref.Part2.17">3.3.2</a>, <a href="#rfc.xref.Part2.18">3.3.2</a>, <a href="#rfc.xref.Part2.19">4.3</a>, <a href="#rfc.xref.Part2.20">5.1</a>, <a href="#rfc.xref.Part2.21">5.3</a>, <a href="#rfc.xref.Part2.22">5.3</a>, <a href="#rfc.xref.Part2.23">5.6</a>, <a href="#rfc.xref.Part2.24">5.7.2</a>, <a href="#rfc.xref.Part2.25">5.7.2</a>, <a href="#rfc.xref.Part2.26">6.3.1</a>, <a href="#rfc.xref.Part2.27">6.3.2</a>, <a href="#rfc.xref.Part2.28">6.3.2</a>, <a href="#rfc.xref.Part2.29">6.7</a>, <a href="#rfc.xref.Part2.30">6.7</a>, <a href="#rfc.xref.Part2.31">8.4.1</a>, <a href="#rfc.xref.Part2.32">9 .3</a>, <a href="#rfc.xref.Part2.33">9.3</a>, <a href="#Part2"><b>11.1</b></a><ul>3645 <li><em>Part2</em> <a href="#rfc.xref.Part2.1">1</a>, <a href="#rfc.xref.Part2.2">2.1</a>, <a href="#rfc.xref.Part2.3">2.1</a>, <a href="#rfc.xref.Part2.4">2.7</a>, <a href="#rfc.xref.Part2.5">2.7.1</a>, <a href="#rfc.xref.Part2.6">3.1.1</a>, <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.8">3.1.2</a>, <a href="#rfc.xref.Part2.9">3.2</a>, <a href="#rfc.xref.Part2.10">3.2.1</a>, <a href="#rfc.xref.Part2.11">3.3</a>, <a href="#rfc.xref.Part2.12">3.3</a>, <a href="#rfc.xref.Part2.13">3.3</a>, <a href="#rfc.xref.Part2.14">3.3.1</a>, <a href="#rfc.xref.Part2.15">3.3.1</a>, <a href="#rfc.xref.Part2.16">3.3.2</a>, <a href="#rfc.xref.Part2.17">3.3.2</a>, <a href="#rfc.xref.Part2.18">3.3.2</a>, <a href="#rfc.xref.Part2.19">4.3</a>, <a href="#rfc.xref.Part2.20">5.1</a>, <a href="#rfc.xref.Part2.21">5.3</a>, <a href="#rfc.xref.Part2.22">5.3</a>, <a href="#rfc.xref.Part2.23">5.6</a>, <a href="#rfc.xref.Part2.24">5.7.2</a>, <a href="#rfc.xref.Part2.25">5.7.2</a>, <a href="#rfc.xref.Part2.26">6.3.1</a>, <a href="#rfc.xref.Part2.27">6.3.2</a>, <a href="#rfc.xref.Part2.28">6.3.2</a>, <a href="#rfc.xref.Part2.29">6.7</a>, <a href="#rfc.xref.Part2.30">6.7</a>, <a href="#rfc.xref.Part2.31">8.4.1</a>, <a href="#rfc.xref.Part2.32">9</a>, <a href="#rfc.xref.Part2.33">9.3</a>, <a href="#rfc.xref.Part2.34">9.3</a>, <a href="#Part2"><b>11.1</b></a><ul> 3649 3646 <li><em>Section 2</em> <a href="#rfc.xref.Part2.4">2.7</a></li> 3650 3647 <li><em>Section 3</em> <a href="#rfc.xref.Part2.16">3.3.2</a></li> … … 3664 3661 <li><em>Section 6.3.4</em> <a href="#rfc.xref.Part2.25">5.7.2</a></li> 3665 3662 <li><em>Section 6.4</em> <a href="#rfc.xref.Part2.30">6.7</a></li> 3666 <li><em>Section 6.5</em> <a href="#rfc.xref.Part2.3 3">9.3</a></li>3667 <li><em>Section 6.5.12</em> <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.3 2">9.3</a></li>3663 <li><em>Section 6.5</em> <a href="#rfc.xref.Part2.34">9.3</a></li> 3664 <li><em>Section 6.5.12</em> <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.33">9.3</a></li> 3668 3665 <li><em>Section 7.1.1.2</em> <a href="#rfc.xref.Part2.9">3.2</a></li> 3669 3666 <li><em>Section 8.3</em> <a href="#rfc.xref.Part2.10">3.2.1</a></li> -
draft-ietf-httpbis/latest/p1-messaging.xml
r2566 r2569 51 51 <!ENTITY qvalue "<xref target='Part2' x:rel='#quality.values' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 52 52 <!ENTITY resource "<xref target='Part2' x:rel='#resources' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 53 <!ENTITY semantics "<xref target='Part2' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 53 54 <!ENTITY status-codes "<xref target='Part2' x:rel='#status.codes' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> 54 55 <!ENTITY status-1xx "<xref target='Part2' x:rel='#status.1xx' xmlns:x='http://purl.org/net/xml2rfc/ext'/>"> … … 3847 3848 <t> 3848 3849 This section is meant to inform developers, information providers, and 3849 users of known security concerns relevant to HTTP/1.1 message syntax, 3850 parsing, and routing. 3851 </t> 3852 <t> 3853 The list of considerations below is not exhaustive — security 3854 analysis in an ongoing activity. Various organizations, such as the 3855 "Open Web Application Security Project" (OWASP, 3856 <eref target="https://www.owasp.org/"/>), provide information about current 3857 research. 3850 users of known security considerations relevant to HTTP message syntax, 3851 parsing, and routing. Security considerations about HTTP semantics and 3852 payloads are addressed in &semantics;. 3858 3853 </t> 3859 3854 -
draft-ietf-httpbis/latest/p2-semantics.html
r2567 r2569 4137 4137 <div id="security.considerations"> 4138 4138 <h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a> <a href="#security.considerations">Security Considerations</a></h1> 4139 <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP /1.14140 semantics and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and4141 routingare discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.4139 <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP semantics 4140 and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and routing 4141 are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>. 4142 4142 </p> 4143 4143 <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive. Most security concerns related to HTTP semantics are about securing server-side -
draft-ietf-httpbis/latest/p2-semantics.xml
r2567 r2569 4915 4915 <t> 4916 4916 This section is meant to inform developers, information providers, and 4917 users of known security concerns relevant to HTTP /1.1semantics and its4917 users of known security concerns relevant to HTTP semantics and its 4918 4918 use for transferring information over the Internet. Considerations related 4919 4919 to message syntax, parsing, and routing are discussed in -
draft-ietf-httpbis/latest/p4-conditional.html
r2566 r2569 448 448 } 449 449 @bottom-center { 450 content: "Expires July 2 6, 2014";450 content: "Expires July 27, 2014"; 451 451 } 452 452 @bottom-right { … … 491 491 <meta name="dct.creator" content="Reschke, J. F."> 492 492 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p4-conditional-latest"> 493 <meta name="dct.issued" scheme="ISO8601" content="2014-01-2 2">493 <meta name="dct.issued" scheme="ISO8601" content="2014-01-23"> 494 494 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 495 495 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP/1.1 conditional requests, including metadata header fields for indicating state changes, request header fields for making preconditions on such state, and rules for constructing the responses to a conditional request when one or more preconditions evaluate to false."> … … 517 517 </tr> 518 518 <tr> 519 <td class="left">Expires: July 2 6, 2014</td>520 <td class="right">January 2 2, 2014</td>519 <td class="left">Expires: July 27, 2014</td> 520 <td class="right">January 23, 2014</td> 521 521 </tr> 522 522 </tbody> … … 546 546 in progress”. 547 547 </p> 548 <p>This Internet-Draft will expire on July 2 6, 2014.</p>548 <p>This Internet-Draft will expire on July 27, 2014.</p> 549 549 </div> 550 550 <div id="rfc.copyrightnotice"> … … 1305 1305 <div id="security.considerations"> 1306 1306 <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a> <a href="#security.considerations">Security Considerations</a></h1> 1307 <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP /1.11307 <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP 1308 1308 conditional request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1309 1309 </p> 1310 <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 1311 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 1312 </p> 1313 <p id="rfc.section.8.p.3">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious 1310 <p id="rfc.section.8.p.2">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious 1314 1311 changes, or detect man-in-the-middle attacks. At best, they enable more efficient cache updates and optimistic concurrent 1315 1312 writes when all participants are behaving nicely. At worst, the conditions will fail and the client will receive a response 1316 1313 that is no more harmful than an HTTP exchange without conditional requests. 1317 1314 </p> 1318 <p id="rfc.section.8.p. 4">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically1315 <p id="rfc.section.8.p.3">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically 1319 1316 invalid entity-tag that is unique to the user or user agent, send it in a cacheable response with a long freshness time, and 1320 1317 then read that entity-tag in later conditional requests as a means of re-identifying that user or user agent. Such an identifying -
draft-ietf-httpbis/latest/p4-conditional.xml
r2563 r2569 1230 1230 <t> 1231 1231 This section is meant to inform developers, information providers, and 1232 users of known security concerns specific to the HTTP /1.1conditional1232 users of known security concerns specific to the HTTP conditional 1233 1233 request mechanisms. More general security considerations are addressed 1234 1234 in HTTP messaging &messaging; and semantics &semantics;. 1235 </t>1236 <t>1237 The list of considerations below is not exhaustive — security1238 analysis in an ongoing activity. Various organizations, such as the1239 "Open Web Application Security Project" (OWASP,1240 <eref target="https://www.owasp.org/"/>), provide information about current1241 research.1242 1235 </t> 1243 1236 <t> -
draft-ietf-httpbis/latest/p5-range.html
r2563 r2569 448 448 } 449 449 @bottom-center { 450 content: "Expires July 2 3, 2014";450 content: "Expires July 27, 2014"; 451 451 } 452 452 @bottom-right { … … 491 491 <meta name="dct.creator" content="Reschke, J. F."> 492 492 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest"> 493 <meta name="dct.issued" scheme="ISO8601" content="2014-01- 19">493 <meta name="dct.issued" scheme="ISO8601" content="2014-01-23"> 494 494 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 495 495 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines range requests and the rules for constructing and combining responses to those requests."> … … 517 517 </tr> 518 518 <tr> 519 <td class="left">Expires: July 2 3, 2014</td>519 <td class="left">Expires: July 27, 2014</td> 520 520 <td class="right">J. Reschke, Editor</td> 521 521 </tr> … … 526 526 <tr> 527 527 <td class="left"></td> 528 <td class="right">January 19, 2014</td>528 <td class="right">January 23, 2014</td> 529 529 </tr> 530 530 </tbody> … … 553 553 in progress”. 554 554 </p> 555 <p>This Internet-Draft will expire on July 2 3, 2014.</p>555 <p>This Internet-Draft will expire on July 27, 2014.</p> 556 556 </div> 557 557 <div id="rfc.copyrightnotice"> … … 1166 1166 <div id="security.considerations"> 1167 1167 <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a> <a href="#security.considerations">Security Considerations</a></h1> 1168 <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP /1.11168 <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP 1169 1169 range request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1170 </p>1171 <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such1172 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research.1173 1170 </p> 1174 1171 <div id="overlapping.ranges"> -
draft-ietf-httpbis/latest/p5-range.xml
r2563 r2569 1049 1049 <t> 1050 1050 This section is meant to inform developers, information providers, and 1051 users of known security concerns specific to the HTTP /1.1range1051 users of known security concerns specific to the HTTP range 1052 1052 request mechanisms. More general security considerations are addressed 1053 1053 in HTTP messaging &messaging; and semantics &semantics;. 1054 </t>1055 <t>1056 The list of considerations below is not exhaustive — security1057 analysis in an ongoing activity. Various organizations, such as the1058 "Open Web Application Security Project" (OWASP,1059 <eref target="https://www.owasp.org/"/>), provide information about current1060 research.1061 1054 </t> 1062 1055 -
draft-ietf-httpbis/latest/p6-cache.html
r2566 r2569 451 451 } 452 452 @bottom-center { 453 content: "Expires July 2 6, 2014";453 content: "Expires July 27, 2014"; 454 454 } 455 455 @bottom-right { … … 495 495 <meta name="dct.creator" content="Reschke, J. F."> 496 496 <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest"> 497 <meta name="dct.issued" scheme="ISO8601" content="2014-01-2 2">497 <meta name="dct.issued" scheme="ISO8601" content="2014-01-23"> 498 498 <meta name="dct.replaces" content="urn:ietf:rfc:2616"> 499 499 <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages."> … … 521 521 </tr> 522 522 <tr> 523 <td class="left">Expires: July 2 6, 2014</td>523 <td class="left">Expires: July 27, 2014</td> 524 524 <td class="right">J. Reschke, Editor</td> 525 525 </tr> … … 530 530 <tr> 531 531 <td class="left"></td> 532 <td class="right">January 2 2, 2014</td>532 <td class="right">January 23, 2014</td> 533 533 </tr> 534 534 </tbody> … … 557 557 in progress”. 558 558 </p> 559 <p>This Internet-Draft will expire on July 2 6, 2014.</p>559 <p>This Internet-Draft will expire on July 27, 2014.</p> 560 560 </div> 561 561 <div id="rfc.copyrightnotice"> … … 1921 1921 <div id="security.considerations"> 1922 1922 <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a> <a href="#security.considerations">Security Considerations</a></h1> 1923 <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1 1924 caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1925 </p> 1926 <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such 1927 as the "Open Web Application Security Project" (OWASP, <<a href="https://www.owasp.org/">https://www.owasp.org/</a>>), provide information about current research. 1928 </p> 1929 <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious 1923 <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP caching. 1924 More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>. 1925 </p> 1926 <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious 1930 1927 exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information 1931 1928 long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected 1932 1929 as sensitive information. 1933 1930 </p> 1934 <p id="rfc.section.8.p. 4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the1935 cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use impl mentation1936 flaws, elevated privile dgesor other techniques to insert such a response into a cache. One common attack vector for cache1931 <p id="rfc.section.8.p.3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the 1932 cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implementation 1933 flaws, elevated privileges, or other techniques to insert such a response into a cache. One common attack vector for cache 1937 1934 poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements. 1938 1935 </p> 1939 <p id="rfc.section.8.p. 5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information1936 <p id="rfc.section.8.p.4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information 1940 1937 (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties. 1941 1938 </p> 1942 <p id="rfc.section.8.p. 6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first1939 <p id="rfc.section.8.p.5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first 1943 1940 one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it 1944 1941 load more quickly, thanks to the cache. 1945 1942 </p> 1946 <p id="rfc.section.8.p. 7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent1943 <p id="rfc.section.8.p.6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent 1947 1944 requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control 1948 1945 response header fields. -
draft-ietf-httpbis/latest/p6-cache.xml
r2563 r2569 2145 2145 <t> 2146 2146 This section is meant to inform developers, information providers, and 2147 users of known security concerns specific to HTTP /1.1caching.2147 users of known security concerns specific to HTTP caching. 2148 2148 More general security considerations are addressed in HTTP messaging 2149 2149 &messaging; and semantics &semantics;. 2150 </t>2151 <t>2152 The list of considerations below is not exhaustive — security2153 analysis in an ongoing activity. Various organizations, such as the2154 "Open Web Application Security Project" (OWASP,2155 <eref target="https://www.owasp.org/"/>), provide information about current2156 research.2157 2150 </t> 2158 2151 <t> … … 2168 2161 shared cache; such "cache poisoning" attacks use the cache to distribute a 2169 2162 malicious payload to many clients, and are especially effective when an 2170 attacker can use impl mentation flaws, elevated priviledgesor other2163 attacker can use implementation flaws, elevated privileges, or other 2171 2164 techniques to insert such a response into a cache. One common attack vector 2172 2165 for cache poisoning is to exploit differences in message parsing on proxies
Note: See TracChangeset
for help on using the changeset viewer.