Re: GET and referer security considerations (Koen Holtman) wrote:
>David W. Morris:
>>The BCP suggestion is valid in any case, but from an HTTP perspective,
>>there has never been a distinction between the piece of software known as
>>the server and applications it may launch ... the composite is "the
>Yes. When I wrote
>  Web servers SHOULD NOT use GET based forms ...
>I meant web servers as a composite.  I did not mean to specify a
>restriction which a poor httpd could never enforce by itself.  The
>following restatement would also work:
>  Authors of services which use the HTTP protocol SHOULD NOT use .....

	Your posted example referred to a form rely for an https ACTION
with method GET, but just to be complete about that, the need to block
a Referer header also applies for an http ACTION because the form might
have included an INPUT TYPE="password" or other private information, but
it doesn't apply, IMHO, to the ?searchpart for an ISINDEX reply.  Do you
agree?  It can be very useful to see what queries were used successfully,
based on requests for URLs from the hit lists, for improving the ISINDEX
cover pages of local search services (though the major public ones use
forms, so this is not a major issue :).  What I'm saying, in effect, is
that if what follows the '?' doesn't contain an '=', the URL is OK to use
in a Referer header.

	If a client always blocks Referer headers when the URL has a
?searchpart that includes an '=', then ones which are being used for
state management but weren't the content of an actual form submission
also will be blocked.  Is that a problem?  I don't see one, since it's
the ?searchpart in the actual requests, not Referer headers, which
normally are being used for state management, but it's possible at
present to use both, and I wonder if any major service does in some
useful way.


 Foteos Macrides            Worcester Foundation for Biomedical Research
 MACRIDES@SCI.WFBR.EDU         222 Maple Avenue, Shrewsbury, MA 01545

Received on Wednesday, 2 July 1997 11:26:37 UTC