W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: GET and referer security considerations

From: Siew Sim <siew.sim@starquest.com>
Date: Wed, 02 Jul 1997 11:17:26 -0700
Message-Id: <>
To: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/3622
>Yes. When I wrote
>  Web servers SHOULD NOT use GET based forms ...
>I meant web servers as a composite.  I did not mean to specify a
>restriction which a poor httpd could never enforce by itself.  The
>following restatement would also work:
>  Authors of services which use the HTTP protocol SHOULD NOT use .....
Am I right that most if not all servers that support some kind of server 
side scripting language use GET based forms?  

Also, the different with GET and POST is where the argument list
is placed within the protocol.  Can't there be a restriction on the
referer header to exclude the argument list?  Besides, I think it 
might be helpful if an entity can specify in its response header if 
it does not like to be disclosed as a referer.


Siew Sim
StarQuest Connectivity Software
2150 Shattuck Ave. Suite 600
Berkeley, CA 94704
Received on Wednesday, 2 July 1997 11:27:38 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:20 UTC