W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1997

Re: GET and referer security considerations

From: Koen Holtman <koen@win.tue.nl>
Date: Fri, 4 Jul 1997 21:27:40 +0200 (MET DST)
Message-Id: <199707041927.VAA01038@wsooti08.win.tue.nl>
To: Siew Sim <siew.sim@starquest.com>
Cc: http-wg@cuckoo.hpl.hp.com
Siew Sim:
>
[....]
>
>Also, the different with GET and POST is where the argument list
>is placed within the protocol.  Can't there be a restriction on the
>referer header to exclude the argument list?

There could be requirements on chopping off the argument list, but this
does not solve the security problem, because legacy 1.0 user agents
would not chop things off when making a referer header.

Also, the GET URL would still get logged, with its argument list, in
the history databases or log files of legacy 1.0 user agents, proxies,
and origin servers.

The only road to security on this is advising people to use POST based
forms.

>Siew

Koen.
Received on Friday, 4 July 1997 12:31:32 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:46 EDT