Commit 8fc5c0c5 authored by Jacob Champion's avatar Jacob Champion
Browse files

Merge r1765361 from trunk: 

docs: add "threat model" warning to ProxyHTMLMeta


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1765368 13f79535-47bb-0310-9956-ffa450edef68
parent c423abb8

docs/manual/mod/mod_proxy_html.html.en

+9 −0
Original line number Diff line number Diff line
@@ -338,6 +338,15 @@ module for earlier 2.x versions.</td></tr> 
    them to real HTTP headers, in keeping with the original purpose

    of this form of the HTML &lt;meta&gt; element.</p>



    <div class="warning"><h3>Warning</h3>

      Because ProxyHTMLMeta promotes <strong>all</strong>

      <code>http-equiv</code> elements to HTTP headers, it is important that you

      only enable it in cases where you trust the HTML content as much as you

      trust the upstream server. If the HTML is controlled by bad actors, it

      will be possible for them to inject arbitrary, possibly malicious, HTTP

      headers into your server's responses.

    </div>



</div>

<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>

<div class="directive-section"><h2><a name="ProxyHTMLStripComments" id="ProxyHTMLStripComments">ProxyHTMLStripComments</a> <a name="proxyhtmlstripcomments" id="proxyhtmlstripcomments">Directive</a></h2>

docs/manual/mod/mod_proxy_html.xml

+9 −0
Original line number Diff line number Diff line
@@ -88,6 +88,15 @@ module for earlier 2.x versions.</compatibility> 
    <code>&lt;meta http-equiv=...&gt;</code> declarations and convert

    them to real HTTP headers, in keeping with the original purpose

    of this form of the HTML &lt;meta&gt; element.</p>



    <note type="warning"><title>Warning</title>

      Because ProxyHTMLMeta promotes <strong>all</strong>

      <code>http-equiv</code> elements to HTTP headers, it is important that you

      only enable it in cases where you trust the HTML content as much as you

      trust the upstream server. If the HTML is controlled by bad actors, it

      will be possible for them to inject arbitrary, possibly malicious, HTTP

      headers into your server's responses.

    </note>

</usage>

</directivesynopsis>