It's best to send comments to the apps-discuss list; I was just passing this on.
On 02/05/2012, at 3:24 PM, Willy Tarreau wrote:
> Hi Mark,
> On Wed, May 02, 2012 at 09:33:53AM +1000, Mark Nottingham wrote:
>> HTTP folk,
>> Please have a look at this document and send along comments, especially if you're an intermediary or firewall person, or consume the existing X-Forwarded-For header.
> A quick note before it escapes my mind, for 8.2. Information leak :
> I would add :
> This header field must never be copied into response messages by origin
> servers or intermediaries for whatever reason as it can reveal the whole
> proxy chain to the client. As a side effect, Special care must be taken
> in hosting environments not to allow the TRACE request where the Forwarded
> field is used, as it would appear in the body of the response message.
> I'll probably have other comments and agree with those raised by Amos.