W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: GET and referer security considerations

From: Andrew Daviel <andrew@andrew.triumf.ca>
Date: Wed, 2 Jul 1997 15:58:20 -0700 (PDT)
To: Matthew Rubenstein <ruby@name.net>
Cc: http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.LNX.3.95.970702154540.1814C-100000@andrew.triumf.ca>
On Wed, 2 Jul 1997, Matthew Rubenstein wrote:

> 	Submitting a <FORM> via GET is bad for several reasons. The insecurity of
> the subsequent GET/HEAD/POST request's REFERER field containing information
> intended to be private is an important consideration. It is also important
> to realize that the info-encoded URL will likely be visible in the UA, in

I think the convention is to use POST for submitting information and GET
for queries (like search engines). POST results may not be cached; so
if the result is a list of links, exploring several links
in a simplistic manner may require re-posting the form data each time
one goes back to the list - clearly an inefficient process. So 
GET is not always bad.

Andrew

(this was a real example from the IBM patent server, but I didn't
investigate to check Expires headers, etc. Netscape 3.0 made me re-post)
Received on Wednesday, 2 July 1997 16:16:28 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:45 EDT