On Mon, May 18, 2009 at 1:05 PM, Amos Jeffries <squ...@treenet.co.nz> wrote:
> Both of these are non-standard headers created by microsoft.
>
> These are both weird ones. We seem to need them, but only because they need
> to be stripped away in certain circumstances.
>
> The Translate: header is the trickiest. After reading the docs it appears we
> should be always stripping it away for security. It's entire purpose is to
> perform code disclosure 'attacks' on targeted dynamic sites. With perhapse a
> fast-ACL to allow admins to use it and control the requests using it when
> they really need to.
>
> Pending any objections I'll add as registered headers in 3.0 and the above
> handling for Translate in 3.1.
Do you have any reference document to point me to?
+1 to registering them, but I'd like to understand a bit more before
default-stripping.
--
/kinkie
