Vulnerability Development mailing list archives
http get
From: "Arjan Steenbergen" <arjan.steenbergen () chello nl>
Date: Thu, 6 Sep 2001 23:11:30 +0200
[ I hope this message is not totally offtopic on this list. If so, sorry! Maybe everybody knows this already, maybe not. I have never read anything about this, so I'll just post it... ] The HTTP GET request that a webbrowser sends to a website, contains an 'accept' string, to indicate the types of data it can handle. Example: GET / HTTP /1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.tweakers.net Connection: Keep-Alive As you can see, Internet Explorer (not only the latest version) also shows it can handle Powerpoint, Excel and Word files. In other words: it shows that you have MS Office installed on your computer. One implication of this might be that when you register on passport.com, Microsoft knows immediately if you have Office or not. They probably won't use that information, but the problem is ofcourse that you just don't know... I haven't done extensive testing with this. What I have noticed sometime is that the string is only sent in the first connection to a website (do a refresh, and its gone). You can verify all this very easy with a network sniffer like ethereal, or by putting a simple ASP script on your IIS server: <html><body> <% For Each v in Request.ServerVariables response.write v&"="&Request.ServerVariables(v)&"<BR>" Next %> </body></html> All in all, it's not that big a deal, but I don't like it when my browser is sending information that I'm not aware of... Regards
Current thread:
- http get Arjan Steenbergen (Sep 06)