httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: Why can't ap_send_error_response() count on charset?
Date Tue, 13 Aug 2002 22:47:10 GMT
On Tue, 13 Aug 2002, Roy T. Fielding wrote:

> Someone could try adding the meta tag to the HTML output instead of
> on the content-type, but then they would have to check to see if this
> still reduces the cross-site scripting problems that Marc found earlier.

My recollection (I would have to check my notes to be sure) is that it is
not sufficient to put it as a meta tag to attempt to protect from charset
related cross site scripting attacks because it can be overidden.

In fact, the exact browser bug that this thread is trying to work around
(redirect with an explicit encoding in the HTTP headers results in that
encoding being used for the target of the redirect instead of anything
specified in a meta tag in that document) is one good example of why
setting it in the meta tag ourself wouldn't be sufficient to avoid charset
related cross site scripting attacks on browsers with this bug... since
the attacker site could just set one in their HTTP headers.

View raw message