Information exposure through Link header by guessing an allocated URI

Question

Information exposure through Link header by guessing an allocated URI

Opened this issue 3 years ago · 1 comments

NSS responds to unauthenticated and unauthorized GET requests to /foo/bar (that exists) by including the HTTP header:

Link: <bar.acl>; rel="acl", <bar.meta> rel="describedBy", <http://www.w3.org/ns/ldp#Resource>; rel="type"

For GET requests to non-existing resources eg. /foo/baz, the response doesn't include the HTTP Link header.

Thus, the security consideration: existence of a resource can potentially be known by guessing or anticipating an allocated URI.

There are use cases where the server may want to reveal the information in the Link header in the response. If the server doesn't make the distinction between intentionally revealing and unintentionally exposing, the server is encouraged to minimize information leaking. So, in the case here, it should be consistent by omitting the Link header for unauthenticated and unauthorized requests.

Answer 1 · 2021-04-23T12:30:25.000Z

Same behaviour with OPTIONS.