- From: Roy Fielding <fielding@beach.w3.org>
- Date: Wed, 30 Aug 1995 20:01:41 -0400
- To: Larry Masinter <masinter@parc.xerox.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
>I wouldn't trust an "Expires" that didn't actually come along with the
>document being served. There's a security hole otherwise; Joe
>'Microsoft-is-Evil' might put up a form <click here> that returns
>
>================================================================
>Location: http://www.microsoft.com
>Expires: 01 Jan 2001 12:00:00 pST
>
><body>I am the evil Borg.</body>
>================================================================
>
>Why don't we leave it as 'Can't cache POST' and not bother gilding
>this particular lily?
Oh, crap!! Pardon me while I go scream out the window .....
The same problem is currently present if we allow any 2xx request
to return a Location field outside the requested server.
....Roy T. Fielding Department of ICS, University of California, Irvine USA
Visiting Scholar, MIT/LCS + World-Wide Web Consortium
(fielding@w3.org) (fielding@ics.uci.edu)
Received on Wednesday, 30 August 1995 17:04:47 UTC