Add TRACE to Safe Methods #168
Comments
/cc @tmornini @brandondees Related: - #168
|
seems like there are a number of security problems with supporting it, and the universal recommendation is to keep it strictly disabled: https://www.beyondsecurity.com/scan_pentest_network_vulnerabilities_http_trace_method_xss_vulnerability |
|
@brandondees MY MAN 50 GRAND! I'm gonna have to weigh in on this after reading. But knowing it's STRICTLY DISABLED is a "feature" I believe myself. I'm all for MORE EXPLICIT security in my servers. Since the CSP stuff being so important. #160 which gets merged immediately after #164 We can't (should't) just 404 EVERYTHING. That's a lazy practice we've gotten used to for years and years. How the heck is |
|
@brandondees so sticking to the following (As defined in MDN) is optimal? I'd really like to support VERY interesting because this means all Javascript servers which use https://github.com/nodejs/node/blob/master/test/parallel/test-http-methods.js#L38 That would be kinda a big deal to bring awareness to "out of the box". YES?
|
|
Well, I hadn't seen it used anywhere before and the type of functionality it's supposed to have seemed like the kind of thing we usually try to prevent servers from doing so I just did a quick search for "http trace security" and found a number of "just disable it" tips from various sources. Seems like it's normally dealt with at the apache / nginx layer rather than on the application side, so it's not surprising it's been left untouched in frameworks that all expect to be behind one of those. |
|
documentation on the exact risks and exact best practices wasn't immediately obvious based on my quick search, so maybe it's not that big of a problem, maybe it's just universally disabled by everybody to avoid thinking about it in more detail, or maybe i just didn't look long enough to find more clarity about what the exact implications and tradeoffs are (what, 20 seconds ain't thorough research?) I can't think of any obvious use case for this feature in the first place, so I'm assuming we don't really need it. From a security standpoint, I'm a big believer in not shipping attack surface area that isn't well justified. |
|
@brandondees hmmmm.... leaning more towards agreeing with you. Perhaps not a feature but a punt/WIP? Tom and I have been revisiting some parts of the HTTP spec and realizing there is a ton that was just an afterthought that developed into anti-patterns because of monkeys on laddars. (myself included). We have to draw the line between "people shouldn't have to use nginx to develop an application. Even the best devs gradually get to CDN" and YAGNI. Similar to the (long winded) discussion about "HTML partial includes". Tom got the entire thread to slow its roll when he stated "Forcing developers to REQUIRE javascript just to include a partial HTML snippet is just kicking the tech debt can" or something to that flavor. To be clear the 60,000 ft. view is less about making YET NOTHER web server. (we already use KOA which is a lightweight version of express which itself is a heavyweight wrapper around /cc @tmornini
|
|
yeah just because something's part of a spec doesn't mean it's right. some
of these things were designed before internet security was even a concept,
and may now be obsolete even though there's not a new spec to remove them
…On Thu, Apr 12, 2018 at 8:07 PM Snuggs ***@***.***> wrote:
@brandondees <https://github.com/brandondees> hmmmm.... leaning more
towards agreeing with you. Perhaps not a feature but a punt/WIP? Tom and I
have been revisiting some parts of the HTTP spec and realizing there is a
ton that was just an afterthought that developed into anti-patterns because
of monkeys on laddars. (myself included) /cc @tmornini
<https://github.com/tmornini>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#168 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AALVhAPE-9xS_FQWXZ2TYGHXf-OlufY1ks5tn_pNgaJpZM4TLFLz>
.
|
/cc @tmornini @brandondees Related: - #168
/cc @tmornini @brandondees Related: - #168
@tmornini @brandondees @kurtcagle @btakita I see the words...But difficult to put together sentences:
HTTP Spec 9.8
TRACEhttps://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.8
I will add
TRACEtoSAFE_METHODSin #164 but will save actual implementation withinResourcefor a subsequent PR related to this issue.The text was updated successfully, but these errors were encountered: