- From: Koen Holtman <koen@win.tue.nl>
- Date: Fri, 4 Jul 1997 21:27:40 +0200 (MET DST)
- To: Siew Sim <siew.sim@starquest.com>
- Cc: http-wg@cuckoo.hpl.hp.com
Siew Sim: > [....] > >Also, the different with GET and POST is where the argument list >is placed within the protocol. Can't there be a restriction on the >referer header to exclude the argument list? There could be requirements on chopping off the argument list, but this does not solve the security problem, because legacy 1.0 user agents would not chop things off when making a referer header. Also, the GET URL would still get logged, with its argument list, in the history databases or log files of legacy 1.0 user agents, proxies, and origin servers. The only road to security on this is advising people to use POST based forms. >Siew Koen.
Received on Friday, 4 July 1997 12:31:32 UTC