Bugtraq mailing list archives
Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token?
From: eric () INFOBRO COM (Eric D. Williams)
Date: Wed, 19 Jan 2000 12:19:28 -0500
This is some of the recent discussion I am aware of in the http-wg of IETF. This could possibly address some of the recent concerns in implementation of WebMail systems, however it does not seem to me to directly address the perplexing 'my eMail is a web page' issues. Eric Eric Williams, Pres. Information Brokers, Inc. Phone: +1 202.889.4395 http://www.infobro.com/ Fax: +1 202.889.4396 mailto:eric () infobro com Pager: +1 301.303.8998 For More Info: info () infobro com -----Original Message----- From: Eric D. Williams [SMTP:eric () infobro com] Sent: Wednesday, January 19, 2000 12:12 PM To: http-wg () cuckoo hpl hp com Subject: RE: webmail vulnerabilities: a new pragma token? Hello all, To get straight to the point. I think the stated is the reason Pragma exists. It is a perfectly apropos usage and addresses the problems discussed on BugTraq directly and efficiently. However, this does not completely address the issues in implementation of the clients and their treatment of these WebMail systems nor the treatment of proxies concerning those systems. Perhaps a poll of those providers would glean some information concerning the current treatment or their client expectations as to the treatment of the 'un-trusted' content types. In any event, this seems to be at least a relevant and appropriate use of Pragma as stipulated in RFC 2616. Eric Eric Williams, Pres. Information Brokers, Inc. Phone: +1 202.889.4395 http://www.infobro.com/ Fax: +1 202.889.4396 mailto:eric () infobro com Pager: +1 301.303.8998 For More Info: info () infobro com On Wednesday, January 19, 2000 8:45 AM, Peter W [SMTP:peterw () usa net] wrote:
Before making this suggestion to client app vendors, I would very much appreciate the comments of this working group. Background: On the Bugtraq security discussion mailing list[1], there has been much conversation of late about webmail vulnerabilities. Essentially, the webmail sites offer HTTP/HTML frontends to read Internet mail. They normally can display HTML-encoded email. Such systems usually try to remove all scripting code from email before displaying it. This is to prevent those scripts from being executed in a way that might exploit current client scripting lnguage problems, or simply exploit the trust that a user might normally place in the site running the webmail frontend. Suggestion: It would be nice if there were on an HTTP header that, if sent to the client, would cause the client to disable javascript, vbscript, etc. for that document only. Sites who wished to display untrusted pages (webmail sites, web discussion forums, etc.) could then use a multi-frame layout. Any frame that contained untrusted code would have this header included in the delivery of its content to ensure that the scripts would not be evaluated, regardless of the normal client settings; other frames, whose "trusted" documents would be sent without this header, would still be able to use scripting (if enabled on the client). May I suggest Pragma: disable-scripting which I suppose means a no-cache page would be sent with Pragma: no-cache, disable-scripting Per RFC 2616, all Pragma headers must be passed to the client by all proxy server or gateway applications. So this header would be passed to the client application, as desired. But is it an acceptable use for "Pragma"? Comments, suggestions? -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems [1] http://www.securityfocus.com/
Current thread:
- Re: XML in IE 5.0, (continued)
- Re: XML in IE 5.0 Mikael Olsson (Jan 13)
- Re: XML in IE 5.0 Mike Brown (Jan 13)
- Re: XML in IE 5.0 Ryan Russell (Jan 14)
- Re: XML in IE 5.0 Brian Behlendorf (Jan 17)
- Re: XML in IE 5.0 David LeBlanc (Jan 18)
- Re: XML in IE 5.0 Jesper M. Johansson (Jan 19)
- Re: XML in IE 5.0 Brian Behlendorf (Jan 17)
- Re: XML in IE 5.0 Darren Reed (Jan 17)
- Re: XML in IE 5.0 Jesper M. Johansson (Jan 19)
- SubSeven 2.1a (trojan) Andrew Griffiths (Jan 19)
- Re: XML in IE 5.0 David LeBlanc (Jan 20)
- Some discussion in http-wg ... FW: webmail vulnerabilities: a new pragma token? Eric D. Williams (Jan 19)
- Re: XML in IE 5.0 Mikael Olsson (Jan 13)
- SyGate 3.11 Port 7323 / Remote Admin hole jalerta () nestworks com (Jan 28)
- [LoWNOISE] Rightfax web client 5.2 ET LoWNOISE (Jan 29)