Sorry to be blunt, but shouldn't these sites be securing themselves?
Having Squid strip this header hardly closes any significant attack
vectors off... and doing so creates yet another special case for
people to work around.
-1 on Translate (default strip; registering it, I suppose, although
it's a vendor-specific extension header that they haven't bothered to
register; I'd rather the focus be on those headers that people have
actually tried to do the right thing for -- especially when they have
*not* said they'll license patents for this specification).
WRT Unless-Modified-Since -- IIRC this is a very old, pre-2068 version
of If-Range. /me looks around...
see: http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15847a-s96/web/draft-luotonen-http-url-byterange-02.txt
What's the issue with it? Amusingly, MSFT thinks it's a response header:
http://msdn.microsoft.com/en-us/library/aa917918.aspx
On 18/05/2009, at 9:05 PM, Amos Jeffries wrote:
> Both of these are non-standard headers created by microsoft.
>
> These are both weird ones. We seem to need them, but only because
> they need to be stripped away in certain circumstances.
>
> The Translate: header is the trickiest. After reading the docs it
> appears we should be always stripping it away for security. It's
> entire purpose is to perform code disclosure 'attacks' on targeted
> dynamic sites. With perhapse a fast-ACL to allow admins to use it
> and control the requests using it when they really need to.
>
> Pending any objections I'll add as registered headers in 3.0 and the
> above handling for Translate in 3.1.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
> Current Beta Squid 3.1.0.7
-- Mark Nottingham mnot_at_yahoo-inc.comReceived on Mon May 18 2009 - 13:07:29 MDT
This archive was generated by hypermail 2.2.0 : Mon May 18 2009 - 12:00:02 MDT