- From: Nick Harper <ietf@nharper.org>
- Date: Wed, 14 Jul 2021 15:10:16 -0700
- To: Eric J Bowman <mellowmutt@zoho.com>
- Cc: Watson Ladd <watsonbladd@gmail.com>, ietf-http-wg <ietf-http-wg@w3.org>
Received on Wednesday, 14 July 2021 22:10:39 UTC
Parameters in the URL would be covered by the @request-content content identifier. The body of a POST request could be covered by a digest content identifier, assuming that the request includes a Digest HTTP header. On Wed, Jul 14, 2021 at 2:51 PM Eric J Bowman <mellowmutt@zoho.com> wrote: > ---- On Wed, 14 Jul 2021 14:03:02 -0700 *Watson Ladd > <watsonbladd@gmail.com <watsonbladd@gmail.com>>* wrote ---- > > > ... > > As far as I could tell post parameters are not covered by a signature, > and thus are vulnerable to modification. Modifying posted form data > could be very problematic. It's fine if out of scope, but feels like > it should be included to be useful, especially given that form data > can interact with URL query parameters. > > > ... > > Pardon my antiquated beliefs and terminology, but... > > POST parameters are just an URL and it's up to Layer 7 to validate URLs. > They're meant to be modified, some folks call it a Web API. IMO, "message > signature" applies to a payload not an URL. Feature not bug. > > -Eric > > >
Received on Wednesday, 14 July 2021 22:10:39 UTC