Hi Colm & Cameleers, On Mon, Feb 7, 2022 at 12:45 PM Colm O hEigeartaigh <cohei...@apache.org> wrote: > > Thanks for the feedback. Do you think it's feasible to think of a > change to Camel along these lines, at least for certain components / > protocols? Echoing headers for HTTP for example could allow a > malicious client to mess with how caches store responses.
Perhaps, if we approach the problem incrementally, first as an opt-in with a warning that it'll be opt-out in a future release. Not sure how staggered or how long we should do this. Though I do imagine that this will break for folk regardless of how much time or how incrementally we do it. I think there are two problems here: information leaks, like the Authorization header you mentioned; and availability/integrity issue, say passing JMSPriority via HTTP and that causing issues with the queue manager. Overall I find this very problematic and that's why we took a different approach in Syndesis by default. Would like to hear what others think as well. zoran -- Zoran Regvart
