[Webkit-unassigned] [Bug 15530] New: XMLHttpRequest should not support certain methods

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 16 04:07:01 PDT 2007


           Summary: XMLHttpRequest should not support certain methods
           Product: WebKit
           Version: 522+ (nightly)
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: P3
         Component: XML
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ap at webkit.org

These methods make various XSS attacks possible.

   TRACE   http://www.kb.cert.org/vuls/id/867593
   TRACK   http://www.kb.cert.org/vuls/id/288308
   CONNECT http://www.kb.cert.org/vuls/id/150227

AFAIK the network layer blocks them on the Mac anyway, but I think we should
explicitly check for these in XMLHttpRequest implementation itself.

Configure bugmail: http://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the webkit-unassigned mailing list