httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: TRACE still enabled by default
Date Wed, 21 Mar 2012 20:57:03 GMT
On 3/21/2012 2:59 PM, Mark Montague wrote:
> On March 21, 2012 15:33 , "Roy T. Fielding" <fielding@gbiv.com> wrote:
>> TRACE won't work at all if the most popular end-point doesn't support it. 
> 
> Why would this be a bad thing?  Or, to phrase it another way, what are the situations
in
> which it is desirable that TRACE be already-enabled on a web server as opposed to having
> the owner of the web server enable the TRACE method in response to a specific debugging
need?

Because, if you do NOT own the end-point, but are trying to debug a fault
in a proxy which you DO own, then the lack of support in the upstream
proxies or origin server leave you no ability to perform this diagnostic.

The output was never intended for unfiltered display.  IIS provided for
the TRACE results to be emitted to the browser with no consideration to
cross-site scripting implications.  There WAS a browser bug, but never
an actual flaw with the protocol or Apache implementation.  Most of the
security reports and scanner output mischaracterizes the original defect.

Mime
View raw message