On Tue, 05 Nov 2002 22:38:32 +0100, Florian Weimer <Weimer (at) CERT.Uni-Stuttgart (dot) DE [email concealed]> said:

> What about HTTP headers which advise user agents to disable some
> features, e.g. read/write access to the document or parts of it via
> scripting or other Internet Explorer interfaces?
>
> Is anybody interested in writing an Informational RFC on this topic?

Pointless.

It's one thing for a web browser to refuse to do something because it suspects
that it has been asked something underhanded (for instance, to not give a
cookie value to a script if it were tagged 'httponly').

It's something else for a server to try to restrict user agents that way.
A well-behaved user agent won't need the hints, and a malicious one won't
listen to them....

(Note - I'm talking here about a server trying to say "Thou Shalt Not Do
XYZ" and expecting to be listened to - if anything, this is a big clue to
the attacker that they should look for a way to try to do XYZ anyhow. That
never works. On the other hand, there are *lots* of areas where *HINTS*
(like the HTTP 'Expires' header) are quite valuable...

Remember - we've seen enough Bugtraq postings about people who try to use
hidden fields in an HTML document for security, and get it wrong...
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech

[ reply ]