Willy -
It's best to send comments to the apps-discuss list; I was just passing this on.
Cheers,
On 02/05/2012, at 3:24 PM, Willy Tarreau wrote:
> Hi Mark,
>
> On Wed, May 02, 2012 at 09:33:53AM +1000, Mark Nottingham wrote:
>> HTTP folk,
>>
>> Please have a look at this document and send along comments, especially if you're an intermediary or firewall person, or consume the existing X-Forwarded-For header.
>>
>> <
http://tools.ietf.org/html/draft-ietf-appsawg-http-forwarded-02>
>
> A quick note before it escapes my mind, for 8.2. Information leak :
>
> I would add :
> This header field must never be copied into response messages by origin
> servers or intermediaries for whatever reason as it can reveal the whole
> proxy chain to the client. As a side effect, Special care must be taken
> in hosting environments not to allow the TRACE request where the Forwarded
> field is used, as it would appear in the body of the response message.
>
> I'll probably have other comments and agree with those raised by Amos.
>
> Regards,
> Willy
>
--
Mark Nottingham
http://www.mnot.net/
