On Mon, May 18, 2009 at 1:05 PM, Amos Jeffries <squ...@treenet.co.nz> wrote: > Both of these are non-standard headers created by microsoft. > > These are both weird ones. We seem to need them, but only because they need > to be stripped away in certain circumstances. > > The Translate: header is the trickiest. After reading the docs it appears we > should be always stripping it away for security. It's entire purpose is to > perform code disclosure 'attacks' on targeted dynamic sites. With perhapse a > fast-ACL to allow admins to use it and control the requests using it when > they really need to. > > Pending any objections I'll add as registered headers in 3.0 and the above > handling for Translate in 3.1.
Do you have any reference document to point me to? +1 to registering them, but I'd like to understand a bit more before default-stripping. -- /kinkie