Re: GET and referer security considerations

David W. Morris:
>The BCP suggestion is valid in any case, but from an HTTP perspective,
>there has never been a distinction between the piece of software known as
>the server and applications it may launch ... the composite is "the

Yes. When I wrote

  Web servers SHOULD NOT use GET based forms ...

I meant web servers as a composite.  I did not mean to specify a
restriction which a poor httpd could never enforce by itself.  The
following restatement would also work:

  Authors of services which use the HTTP protocol SHOULD NOT use .....

>Dave Morris


Received on Wednesday, 2 July 1997 10:49:50 UTC