| Log Message: |
This patch removes the processing of `mxb' parameters in Accept
headers in mod_negotiation. A second patch updates the manual to
reflect this (mxb is not documented directly in the manual but support
for it is implied in one place).
Reasons for removing this feature:
1) As currently implemented, the 'mxb' feature makes possible certain
denial-of-service attacks on negotiated content. These attacks are
posssible for user communities which access an Apache server from
behind a HTTP/1.1 proxy which implements `Vary' related optimisations.
Plugging this denial of service hole without removing `mxb' is fairly
expensive in terms of degrading caching efficiency.
2) `mxb' is not in HTTP/1.0 or HTTP/1.1 or any other standard
3) Nobody seems to make use of 'mxb'. (Balachander Krishnamurthy
kindly offered to grep some of his web traffic traces -- he did not
find a single Accept with mxb in a whole day of recent traffic, nor in
older traces)
4) Removing a feature makes a nice change from adding features.
Submitted by: Koen Holtman <Koen.Holtman@cern.ch>
|
httpd/httpd/trunk/docs/manual/content-negotiation.html