This is some of the recent discussion I am aware of in the http-wg of IETF. This could possibly address some of the recent concerns in implementation of WebMail systems, however it does not seem to me to directly address the perplexing 'my eMail is a web page' issues. Eric Eric Williams, Pres. Information Brokers, Inc. Phone: +1 202.889.4395 http://www.infobro.com/ Fax: +1 202.889.4396 mailto:ericat_private Pager: +1 301.303.8998 For More Info: infoat_private -----Original Message----- From: Eric D. Williams [SMTP:ericat_private] Sent: Wednesday, January 19, 2000 12:12 PM To: http-wgat_private Subject: RE: webmail vulnerabilities: a new pragma token? Hello all, To get straight to the point. I think the stated is the reason Pragma exists. It is a perfectly apropos usage and addresses the problems discussed on BugTraq directly and efficiently. However, this does not completely address the issues in implementation of the clients and their treatment of these WebMail systems nor the treatment of proxies concerning those systems. Perhaps a poll of those providers would glean some information concerning the current treatment or their client expectations as to the treatment of the 'un-trusted' content types. In any event, this seems to be at least a relevant and appropriate use of Pragma as stipulated in RFC 2616. Eric Eric Williams, Pres. Information Brokers, Inc. Phone: +1 202.889.4395 http://www.infobro.com/ Fax: +1 202.889.4396 mailto:ericat_private Pager: +1 301.303.8998 For More Info: infoat_private On Wednesday, January 19, 2000 8:45 AM, Peter W [SMTP:peterwat_private] wrote: > > Before making this suggestion to client app vendors, I would very much > appreciate the comments of this working group. > > Background: > > On the Bugtraq security discussion mailing list[1], there has been much > conversation of late about webmail vulnerabilities. Essentially, the > webmail sites offer HTTP/HTML frontends to read Internet mail. They > normally can display HTML-encoded email. Such systems usually try to > remove all scripting code from email before displaying it. This is to > prevent those scripts from being executed in a way that might exploit > current client scripting lnguage problems, or simply exploit the trust > that a user might normally place in the site running the webmail frontend. > > Suggestion: > > It would be nice if there were on an HTTP header that, if sent to the > client, would cause the client to disable javascript, vbscript, etc. for > that document only. Sites who wished to display untrusted pages (webmail > sites, web discussion forums, etc.) could then use a multi-frame layout. > Any frame that contained untrusted code would have this header included in > the delivery of its content to ensure that the scripts would not be > evaluated, regardless of the normal client settings; other frames, whose > "trusted" documents would be sent without this header, would still be able > to use scripting (if enabled on the client). > > May I suggest > > Pragma: disable-scripting > > which I suppose means a no-cache page would be sent with > > Pragma: no-cache, disable-scripting > > Per RFC 2616, all Pragma headers must be passed to the client by all proxy > server or gateway applications. So this header would be passed to the > client application, as desired. But is it an acceptable use for "Pragma"? > > Comments, suggestions? > > -Peter > > http://www.bastille-linux.org/ : working towards more secure Linux systems > > [1] http://www.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:10 PDT