W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: questions -- clarifications requested

From: Roy Fielding <fielding@beach.w3.org>
Date: Wed, 30 Aug 1995 20:01:41 -0400
Message-Id: <199508310001.UAA23845@beach.w3.org>
To: Larry Masinter <masinter@parc.xerox.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>I wouldn't trust an "Expires" that didn't actually come along with the
>document being served. There's a security hole otherwise; Joe
>'Microsoft-is-Evil' might put up a form <click here> that returns
>Location: http://www.microsoft.com
>Expires: 01 Jan 2001 12:00:00 pST
><body>I am the evil Borg.</body>
>Why don't we leave it as 'Can't cache POST' and not bother gilding
>this particular lily?

Oh, crap!!  Pardon me while I go scream out the window .....

The same problem is currently present if we allow any 2xx request
to return a Location field outside the requested server.

 ....Roy T. Fielding  Department of ICS, University of California, Irvine USA
                      Visiting Scholar, MIT/LCS + World-Wide Web Consortium
                      (fielding@w3.org)                (fielding@ics.uci.edu)
Received on Wednesday, 30 August 1995 17:04:47 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:14 UTC