mike amundsen wrote:
I propose the following HTTP Headers be added to the white list:
Accept
Accept-Language
Accept-Ranges
Age
Allow
Cache-Control
Content-Disposition
Content-Language
Content-Location
Content-MD5
Content-Range
Content-Type
ETag
Expect
Expires
From
If-Match
If-Modified-Since
If-None-Match
If-Range
If-Unmodified-Since
Last-Modified
Location
Max-Forwards
Pragma
Range
Refresh
Retry-After
Server
Transfer-Encoding
User-Agent
Vary
Warning
So first off this whitelist only matters for GET requests. So headers
that doesn't make sense for GET I don't see a reason to allow, that
especially includes request headers.
I'm wondering what you based this list on, and why you think that these
headers are all going to be safe? For example Content-MD5 (apart from
the fact that it doesn't make sense for GET requests) seems dangerous if
the server relies on it being truthful.
/ Jonas
/ Jonas
