Ignore:
Timestamp:
23/01/14 09:31:59 (7 years ago)
Author:
fielding@…
Message:

(editorial) OWASP only provides useful additional info for web application semantics and authentication; see #520 and #549

Location:
draft-ietf-httpbis/latest
Files:
10 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p1-messaging.html

    r2566 r2569  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 26, 2014";
     450       content: "Expires July 27, 2014";
    451451  }
    452452  @bottom-right {
     
    490490      <meta name="dct.creator" content="Reschke, J. F.">
    491491      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p1-messaging-latest">
    492       <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
     492      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
    493493      <meta name="dct.replaces" content="urn:ietf:rfc:2145">
    494494      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
     
    519519            <tr>
    520520               <td class="left">Intended status: Standards Track</td>
    521                <td class="right">January 22, 2014</td>
     521               <td class="right">January 23, 2014</td>
    522522            </tr>
    523523            <tr>
    524                <td class="left">Expires: July 26, 2014</td>
     524               <td class="left">Expires: July 27, 2014</td>
    525525               <td class="right"></td>
    526526            </tr>
     
    551551            in progress”.
    552552         </p>
    553          <p>This Internet-Draft will expire on July 26, 2014.</p>
     553         <p>This Internet-Draft will expire on July 27, 2014.</p>
    554554      </div>
    555555      <div id="rfc.copyrightnotice">
     
    28442844      <div id="security.considerations">
    28452845         <h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    2846          <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1
    2847             message syntax, parsing, and routing.
    2848          </p>
    2849          <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
    2850             as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
     2846         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security considerations relevant to
     2847            HTTP message syntax, parsing, and routing. Security considerations about HTTP semantics and payloads are addressed in <a href="#Part2" id="rfc.xref.Part2.32"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    28512848         </p>
    28522849         <div id="dns.related.attacks">
     
    28812878               that most implementations will choose substantially higher limits.
    28822879            </p>
    2883             <p id="rfc.section.9.3.p.3">This specification also provides a way for servers to reject messages that have request-targets that are too long (<a href="p2-semantics.html#status.414" title="414 URI Too Long">Section 6.5.12</a> of <a href="#Part2" id="rfc.xref.Part2.32"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>) or request entities that are too large (<a href="p2-semantics.html#status.4xx" title="Client Error 4xx">Section 6.5</a> of <a href="#Part2" id="rfc.xref.Part2.33"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>). Additional status codes related to capacity limits have been defined by extensions to HTTP <a href="#RFC6585" id="rfc.xref.RFC6585.1"><cite title="Additional HTTP Status Codes">[RFC6585]</cite></a>.
     2880            <p id="rfc.section.9.3.p.3">This specification also provides a way for servers to reject messages that have request-targets that are too long (<a href="p2-semantics.html#status.414" title="414 URI Too Long">Section 6.5.12</a> of <a href="#Part2" id="rfc.xref.Part2.33"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>) or request entities that are too large (<a href="p2-semantics.html#status.4xx" title="Client Error 4xx">Section 6.5</a> of <a href="#Part2" id="rfc.xref.Part2.34"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>). Additional status codes related to capacity limits have been defined by extensions to HTTP <a href="#RFC6585" id="rfc.xref.RFC6585.1"><cite title="Additional HTTP Status Codes">[RFC6585]</cite></a>.
    28842881            </p>
    28852882            <p id="rfc.section.9.3.p.4">Recipients ought to carefully limit the extent to which they read other fields, including (but not limited to) request methods,
     
    36463643            </li>
    36473644            <li><a id="rfc.index.P" href="#rfc.index.P"><b>P</b></a><ul>
    3648                   <li><em>Part2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.1">1</a>, <a href="#rfc.xref.Part2.2">2.1</a>, <a href="#rfc.xref.Part2.3">2.1</a>, <a href="#rfc.xref.Part2.4">2.7</a>, <a href="#rfc.xref.Part2.5">2.7.1</a>, <a href="#rfc.xref.Part2.6">3.1.1</a>, <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.8">3.1.2</a>, <a href="#rfc.xref.Part2.9">3.2</a>, <a href="#rfc.xref.Part2.10">3.2.1</a>, <a href="#rfc.xref.Part2.11">3.3</a>, <a href="#rfc.xref.Part2.12">3.3</a>, <a href="#rfc.xref.Part2.13">3.3</a>, <a href="#rfc.xref.Part2.14">3.3.1</a>, <a href="#rfc.xref.Part2.15">3.3.1</a>, <a href="#rfc.xref.Part2.16">3.3.2</a>, <a href="#rfc.xref.Part2.17">3.3.2</a>, <a href="#rfc.xref.Part2.18">3.3.2</a>, <a href="#rfc.xref.Part2.19">4.3</a>, <a href="#rfc.xref.Part2.20">5.1</a>, <a href="#rfc.xref.Part2.21">5.3</a>, <a href="#rfc.xref.Part2.22">5.3</a>, <a href="#rfc.xref.Part2.23">5.6</a>, <a href="#rfc.xref.Part2.24">5.7.2</a>, <a href="#rfc.xref.Part2.25">5.7.2</a>, <a href="#rfc.xref.Part2.26">6.3.1</a>, <a href="#rfc.xref.Part2.27">6.3.2</a>, <a href="#rfc.xref.Part2.28">6.3.2</a>, <a href="#rfc.xref.Part2.29">6.7</a>, <a href="#rfc.xref.Part2.30">6.7</a>, <a href="#rfc.xref.Part2.31">8.4.1</a>, <a href="#rfc.xref.Part2.32">9.3</a>, <a href="#rfc.xref.Part2.33">9.3</a>, <a href="#Part2"><b>11.1</b></a><ul>
     3645                  <li><em>Part2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.1">1</a>, <a href="#rfc.xref.Part2.2">2.1</a>, <a href="#rfc.xref.Part2.3">2.1</a>, <a href="#rfc.xref.Part2.4">2.7</a>, <a href="#rfc.xref.Part2.5">2.7.1</a>, <a href="#rfc.xref.Part2.6">3.1.1</a>, <a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.8">3.1.2</a>, <a href="#rfc.xref.Part2.9">3.2</a>, <a href="#rfc.xref.Part2.10">3.2.1</a>, <a href="#rfc.xref.Part2.11">3.3</a>, <a href="#rfc.xref.Part2.12">3.3</a>, <a href="#rfc.xref.Part2.13">3.3</a>, <a href="#rfc.xref.Part2.14">3.3.1</a>, <a href="#rfc.xref.Part2.15">3.3.1</a>, <a href="#rfc.xref.Part2.16">3.3.2</a>, <a href="#rfc.xref.Part2.17">3.3.2</a>, <a href="#rfc.xref.Part2.18">3.3.2</a>, <a href="#rfc.xref.Part2.19">4.3</a>, <a href="#rfc.xref.Part2.20">5.1</a>, <a href="#rfc.xref.Part2.21">5.3</a>, <a href="#rfc.xref.Part2.22">5.3</a>, <a href="#rfc.xref.Part2.23">5.6</a>, <a href="#rfc.xref.Part2.24">5.7.2</a>, <a href="#rfc.xref.Part2.25">5.7.2</a>, <a href="#rfc.xref.Part2.26">6.3.1</a>, <a href="#rfc.xref.Part2.27">6.3.2</a>, <a href="#rfc.xref.Part2.28">6.3.2</a>, <a href="#rfc.xref.Part2.29">6.7</a>, <a href="#rfc.xref.Part2.30">6.7</a>, <a href="#rfc.xref.Part2.31">8.4.1</a>, <a href="#rfc.xref.Part2.32">9</a>, <a href="#rfc.xref.Part2.33">9.3</a>, <a href="#rfc.xref.Part2.34">9.3</a>, <a href="#Part2"><b>11.1</b></a><ul>
    36493646                        <li><em>Section 2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.4">2.7</a></li>
    36503647                        <li><em>Section 3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.16">3.3.2</a></li>
     
    36643661                        <li><em>Section 6.3.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.25">5.7.2</a></li>
    36653662                        <li><em>Section 6.4</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.30">6.7</a></li>
    3666                         <li><em>Section 6.5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.33">9.3</a></li>
    3667                         <li><em>Section 6.5.12</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.32">9.3</a></li>
     3663                        <li><em>Section 6.5</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.34">9.3</a></li>
     3664                        <li><em>Section 6.5.12</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.7">3.1.1</a>, <a href="#rfc.xref.Part2.33">9.3</a></li>
    36683665                        <li><em>Section 7.1.1.2</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.9">3.2</a></li>
    36693666                        <li><em>Section 8.3</em>&nbsp;&nbsp;<a href="#rfc.xref.Part2.10">3.2.1</a></li>
  • draft-ietf-httpbis/latest/p1-messaging.xml

    r2566 r2569  
    5151  <!ENTITY qvalue                 "<xref target='Part2' x:rel='#quality.values' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    5252  <!ENTITY resource               "<xref target='Part2' x:rel='#resources' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     53  <!ENTITY semantics              "<xref target='Part2' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    5354  <!ENTITY status-codes           "<xref target='Part2' x:rel='#status.codes' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
    5455  <!ENTITY status-1xx             "<xref target='Part2' x:rel='#status.1xx' xmlns:x='http://purl.org/net/xml2rfc/ext'/>">
     
    38473848<t>
    38483849   This section is meant to inform developers, information providers, and
    3849    users of known security concerns relevant to HTTP/1.1 message syntax,
    3850    parsing, and routing.
    3851 </t>
    3852 <t>
    3853    The list of considerations below is not exhaustive &mdash; security
    3854    analysis in an ongoing activity. Various organizations, such as the
    3855    "Open Web Application Security Project" (OWASP,
    3856    <eref target="https://www.owasp.org/"/>), provide information about current
    3857    research.
     3850   users of known security considerations relevant to HTTP message syntax,
     3851   parsing, and routing. Security considerations about HTTP semantics and
     3852   payloads are addressed in &semantics;.
    38583853</t>
    38593854
  • draft-ietf-httpbis/latest/p2-semantics.html

    r2567 r2569  
    41374137      <div id="security.considerations">
    41384138         <h1 id="rfc.section.9"><a href="#rfc.section.9">9.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    4139          <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP/1.1
    4140             semantics and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and
    4141             routing are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
     4139         <p id="rfc.section.9.p.1">This section is meant to inform developers, information providers, and users of known security concerns relevant to HTTP semantics
     4140            and its use for transferring information over the Internet. Considerations related to message syntax, parsing, and routing
     4141            are discussed in <a href="p1-messaging.html#security.considerations" title="Security Considerations">Section 9</a> of <a href="#Part1" id="rfc.xref.Part1.42"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a>.
    41424142         </p>
    41434143         <p id="rfc.section.9.p.2">The list of considerations below is not exhaustive. Most security concerns related to HTTP semantics are about securing server-side
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r2567 r2569  
    49154915<t>
    49164916   This section is meant to inform developers, information providers, and
    4917    users of known security concerns relevant to HTTP/1.1 semantics and its
     4917   users of known security concerns relevant to HTTP semantics and its
    49184918   use for transferring information over the Internet. Considerations related
    49194919   to message syntax, parsing, and routing are discussed in
  • draft-ietf-httpbis/latest/p4-conditional.html

    r2566 r2569  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 26, 2014";
     450       content: "Expires July 27, 2014";
    451451  }
    452452  @bottom-right {
     
    491491      <meta name="dct.creator" content="Reschke, J. F.">
    492492      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p4-conditional-latest">
    493       <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
     493      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
    494494      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    495495      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP/1.1 conditional requests, including metadata header fields for indicating state changes, request header fields for making preconditions on such state, and rules for constructing the responses to a conditional request when one or more preconditions evaluate to false.">
     
    517517            </tr>
    518518            <tr>
    519                <td class="left">Expires: July 26, 2014</td>
    520                <td class="right">January 22, 2014</td>
     519               <td class="left">Expires: July 27, 2014</td>
     520               <td class="right">January 23, 2014</td>
    521521            </tr>
    522522         </tbody>
     
    546546            in progress”.
    547547         </p>
    548          <p>This Internet-Draft will expire on July 26, 2014.</p>
     548         <p>This Internet-Draft will expire on July 27, 2014.</p>
    549549      </div>
    550550      <div id="rfc.copyrightnotice">
     
    13051305      <div id="security.considerations">
    13061306         <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    1307          <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1
     1307         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP
    13081308            conditional request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.5"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.6"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    13091309         </p>
    1310          <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
    1311             as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    1312          </p>
    1313          <p id="rfc.section.8.p.3">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
     1310         <p id="rfc.section.8.p.2">The validators defined by this specification are not intended to ensure the validity of a representation, guard against malicious
    13141311            changes, or detect man-in-the-middle attacks. At best, they enable more efficient cache updates and optimistic concurrent
    13151312            writes when all participants are behaving nicely. At worst, the conditions will fail and the client will receive a response
    13161313            that is no more harmful than an HTTP exchange without conditional requests.
    13171314         </p>
    1318          <p id="rfc.section.8.p.4">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
     1315         <p id="rfc.section.8.p.3">An entity-tag can be abused in ways that create privacy risks. For example, a site might deliberately construct a semantically
    13191316            invalid entity-tag that is unique to the user or user agent, send it in a cacheable response with a long freshness time, and
    13201317            then read that entity-tag in later conditional requests as a means of re-identifying that user or user agent. Such an identifying
  • draft-ietf-httpbis/latest/p4-conditional.xml

    r2563 r2569  
    12301230<t>
    12311231   This section is meant to inform developers, information providers, and
    1232    users of known security concerns specific to the HTTP/1.1 conditional
     1232   users of known security concerns specific to the HTTP conditional
    12331233   request mechanisms. More general security considerations are addressed
    12341234   in HTTP messaging &messaging; and semantics &semantics;.
    1235 </t>
    1236 <t>
    1237    The list of considerations below is not exhaustive &mdash; security
    1238    analysis in an ongoing activity. Various organizations, such as the
    1239    "Open Web Application Security Project" (OWASP,
    1240    <eref target="https://www.owasp.org/"/>), provide information about current
    1241    research.
    12421235</t>
    12431236<t>
  • draft-ietf-httpbis/latest/p5-range.html

    r2563 r2569  
    448448  }
    449449  @bottom-center {
    450        content: "Expires July 23, 2014";
     450       content: "Expires July 27, 2014";
    451451  }
    452452  @bottom-right {
     
    491491      <meta name="dct.creator" content="Reschke, J. F.">
    492492      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p5-range-latest">
    493       <meta name="dct.issued" scheme="ISO8601" content="2014-01-19">
     493      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
    494494      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    495495      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines range requests and the rules for constructing and combining responses to those requests.">
     
    517517            </tr>
    518518            <tr>
    519                <td class="left">Expires: July 23, 2014</td>
     519               <td class="left">Expires: July 27, 2014</td>
    520520               <td class="right">J. Reschke, Editor</td>
    521521            </tr>
     
    526526            <tr>
    527527               <td class="left"></td>
    528                <td class="right">January 19, 2014</td>
     528               <td class="right">January 23, 2014</td>
    529529            </tr>
    530530         </tbody>
     
    553553            in progress”.
    554554         </p>
    555          <p>This Internet-Draft will expire on July 23, 2014.</p>
     555         <p>This Internet-Draft will expire on July 27, 2014.</p>
    556556      </div>
    557557      <div id="rfc.copyrightnotice">
     
    11661166      <div id="security.considerations">
    11671167         <h1 id="rfc.section.6"><a href="#rfc.section.6">6.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    1168          <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP/1.1
     1168         <p id="rfc.section.6.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to the HTTP
    11691169            range request mechanisms. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.3"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.2"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    1170          </p>
    1171          <p id="rfc.section.6.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
    1172             as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    11731170         </p>
    11741171         <div id="overlapping.ranges">
  • draft-ietf-httpbis/latest/p5-range.xml

    r2563 r2569  
    10491049<t>
    10501050   This section is meant to inform developers, information providers, and
    1051    users of known security concerns specific to the HTTP/1.1 range
     1051   users of known security concerns specific to the HTTP range
    10521052   request mechanisms. More general security considerations are addressed
    10531053   in HTTP messaging &messaging; and semantics &semantics;.
    1054 </t>
    1055 <t>
    1056    The list of considerations below is not exhaustive &mdash; security
    1057    analysis in an ongoing activity. Various organizations, such as the
    1058    "Open Web Application Security Project" (OWASP,
    1059    <eref target="https://www.owasp.org/"/>), provide information about current
    1060    research.
    10611054</t>
    10621055
  • draft-ietf-httpbis/latest/p6-cache.html

    r2566 r2569  
    451451  }
    452452  @bottom-center {
    453        content: "Expires July 26, 2014";
     453       content: "Expires July 27, 2014";
    454454  }
    455455  @bottom-right {
     
    495495      <meta name="dct.creator" content="Reschke, J. F.">
    496496      <meta name="dct.identifier" content="urn:ietf:id:draft-ietf-httpbis-p6-cache-latest">
    497       <meta name="dct.issued" scheme="ISO8601" content="2014-01-22">
     497      <meta name="dct.issued" scheme="ISO8601" content="2014-01-23">
    498498      <meta name="dct.replaces" content="urn:ietf:rfc:2616">
    499499      <meta name="dct.abstract" content="The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document defines HTTP caches and the associated header fields that control cache behavior or indicate cacheable response messages.">
     
    521521            </tr>
    522522            <tr>
    523                <td class="left">Expires: July 26, 2014</td>
     523               <td class="left">Expires: July 27, 2014</td>
    524524               <td class="right">J. Reschke, Editor</td>
    525525            </tr>
     
    530530            <tr>
    531531               <td class="left"></td>
    532                <td class="right">January 22, 2014</td>
     532               <td class="right">January 23, 2014</td>
    533533            </tr>
    534534         </tbody>
     
    557557            in progress”.
    558558         </p>
    559          <p>This Internet-Draft will expire on July 26, 2014.</p>
     559         <p>This Internet-Draft will expire on July 27, 2014.</p>
    560560      </div>
    561561      <div id="rfc.copyrightnotice">
     
    19211921      <div id="security.considerations">
    19221922         <h1 id="rfc.section.8"><a href="#rfc.section.8">8.</a>&nbsp;<a href="#security.considerations">Security Considerations</a></h1>
    1923          <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP/1.1
    1924             caching. More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
    1925          </p>
    1926          <p id="rfc.section.8.p.2">The list of considerations below is not exhaustive — security analysis in an ongoing activity. Various organizations, such
    1927             as the "Open Web Application Security Project" (OWASP, &lt;<a href="https://www.owasp.org/">https://www.owasp.org/</a>&gt;), provide information about current research.
    1928          </p>
    1929          <p id="rfc.section.8.p.3">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
     1923         <p id="rfc.section.8.p.1">This section is meant to inform developers, information providers, and users of known security concerns specific to HTTP caching.
     1924            More general security considerations are addressed in HTTP messaging <a href="#Part1" id="rfc.xref.Part1.11"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> and semantics <a href="#Part2" id="rfc.xref.Part2.9"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content">[Part2]</cite></a>.
     1925         </p>
     1926         <p id="rfc.section.8.p.2">Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious
    19301927            exploitation. Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information
    19311928            long after a user believes that the information has been removed from the network. Therefore, cache contents need to be protected
    19321929            as sensitive information.
    19331930         </p>
    1934          <p id="rfc.section.8.p.4">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
    1935             cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implmentation
    1936             flaws, elevated priviledges or other techniques to insert such a response into a cache. One common attack vector for cache
     1931         <p id="rfc.section.8.p.3">In particular, various attacks might be amplified by being stored in a shared cache; such "cache poisoning" attacks use the
     1932            cache to distribute a malicious payload to many clients, and are especially effective when an attacker can use implementation
     1933            flaws, elevated privileges, or other techniques to insert such a response into a cache. One common attack vector for cache
    19371934            poisoning is to exploit differences in message parsing on proxies and in user agents; see <a href="p1-messaging.html#message.body.length" title="Message Body Length">Section 3.3.3</a> of <a href="#Part1" id="rfc.xref.Part1.12"><cite title="Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing">[Part1]</cite></a> for the relevant requirements.
    19381935         </p>
    1939          <p id="rfc.section.8.p.5">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
     1936         <p id="rfc.section.8.p.4">Likewise, implementation flaws (as well as misunderstanding of cache operation) might lead to caching of sensitive information
    19401937            (e.g., authentication credentials) that is thought to be private, exposing it to unauthorized parties.
    19411938         </p>
    1942          <p id="rfc.section.8.p.6">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
     1939         <p id="rfc.section.8.p.5">Furthermore, the very use of a cache can bring about privacy concerns. For example, if two users share a cache, and the first
    19431940            one browses to a site, the second may be able to detect that the other has been to that site, because the resources from it
    19441941            load more quickly, thanks to the cache.
    19451942         </p>
    1946          <p id="rfc.section.8.p.7">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
     1943         <p id="rfc.section.8.p.6">Note that the Set-Cookie response header field <a href="#RFC6265" id="rfc.xref.RFC6265.1"><cite title="HTTP State Management Mechanism">[RFC6265]</cite></a> does not inhibit caching; a cacheable response with a Set-Cookie header field can be (and often is) used to satisfy subsequent
    19471944            requests to caches. Servers who wish to control caching of these responses are encouraged to emit appropriate Cache-Control
    19481945            response header fields.
  • draft-ietf-httpbis/latest/p6-cache.xml

    r2563 r2569  
    21452145<t>
    21462146   This section is meant to inform developers, information providers, and
    2147    users of known security concerns specific to HTTP/1.1 caching.
     2147   users of known security concerns specific to HTTP caching.
    21482148   More general security considerations are addressed in HTTP messaging
    21492149   &messaging; and semantics &semantics;.
    2150 </t>
    2151 <t>
    2152    The list of considerations below is not exhaustive &mdash; security
    2153    analysis in an ongoing activity. Various organizations, such as the
    2154    "Open Web Application Security Project" (OWASP,
    2155    <eref target="https://www.owasp.org/"/>), provide information about current
    2156    research.
    21572150</t>
    21582151<t>
     
    21682161   shared cache; such "cache poisoning" attacks use the cache to distribute a
    21692162   malicious payload to many clients, and are especially effective when an
    2170    attacker can use implmentation flaws, elevated priviledges or other
     2163   attacker can use implementation flaws, elevated privileges, or other
    21712164   techniques to insert such a response into a cache. One common attack vector
    21722165   for cache poisoning is to exploit differences in message parsing on proxies
Note: See TracChangeset for help on using the changeset viewer.