- From: Paul Leach <paulle@microsoft.com>
- Date: Thu, 11 Dec 1997 19:27:36 -0800
- To: Yaron Goland <yarong@microsoft.com>, "'jg@pa.dec.com'" <jg@pa.dec.com>
- Cc: Josh Cohen <joshco@microsoft.com>, Foteos Macrides <MACRIDES@sci.wfbr.edu>, lynx-dev@sig.net, http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> ---------- > From: jg@pa.dec.com[SMTP:jg@pa.dec.com] > Sent: Wednesday, December 10, 1997 4:48 PM > <snip> > I think you are confused.... In Rev-01, only an origin server is allowed > to generate a 305 response. It is authoritative for that resource, so > the spoofing problems don't come up (and is the reason for that text being > in the document...) > And exactly how can the browser tell that it was the origin server that sent the 305? And not the untrustworthy proxy in between the client and the server? I know that normally one trusts one's proxy, but since security issues are being raised here, the question needs to be asked. Paul
Received on Saturday, 13 December 1997 12:01:56 UTC