W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: questions -- clarifications requested

From: Roy Fielding <fielding@beach.w3.org>
Date: Wed, 30 Aug 1995 20:01:41 -0400
Message-Id: <199508310001.UAA23845@beach.w3.org>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>I wouldn't trust an "Expires" that didn't actually come along with the
>document being served. There's a security hole otherwise; Joe
>'Microsoft-is-Evil' might put up a form <click here> that returns
>
>================================================================
>Location: http://www.microsoft.com
>Expires: 01 Jan 2001 12:00:00 pST
>
><body>I am the evil Borg.</body>
>================================================================
>
>Why don't we leave it as 'Can't cache POST' and not bother gilding
>this particular lily?

Oh, crap!!  Pardon me while I go scream out the window .....

The same problem is currently present if we allow any 2xx request
to return a Location field outside the requested server.


 ....Roy T. Fielding  Department of ICS, University of California, Irvine USA
                      Visiting Scholar, MIT/LCS + World-Wide Web Consortium
                      (fielding@w3.org)                (fielding@ics.uci.edu)
Received on Wednesday, 30 August 1995 17:04:47 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:27 EDT