[33943] in bugtraq
Re: blocking gzip encoded files
daemon@ATHENA.MIT.EDU (Josep L. Guallar-Esteve)
Wed Feb 25 12:22:47 2004
From: "Josep L. Guallar-Esteve" <guallar@easternrad.com>
To: bugtraq@securityfocus.com
Date: Tue, 24 Feb 2004 13:00:47 -0500
In-Reply-To: <403A80EF.1080900@cissp.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200402241300.47183.guallar@easternrad.com>
On Monday 23 February 2004 05:38 pm, Darwin Mecham wrote:
> It has recently come to my attention that most browsers happily
> do Accept-encoding: gzip and streaming decompression of
> HTML data received with Content-encoding: gzip
> without asking.
This is because most browsers support HTTP-1.1 standard.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.11
http://www.w3.org/Talks/9608HTTP/
http://www.seoconsultants.com/articles/1000/http-compression.asp
> This has been in use since sometime in 1998.
IIRC, HTTP 1.1 was endorsed by W3C ~ 1999
> Is there a way to configure the run-of-the-mill browser to
> block these at the host level ?
You can disable HTTP 1.1 compliance if you wish.
> Darwin
Regards,
Josep
--
Josep L. Guallar-Esteve Eastern Radiologists, Inc.
Systems and Network Administration http://www.easternrad.com
