Re: GET and referer security considerations

>Yes. When I wrote
>  Web servers SHOULD NOT use GET based forms ...
>I meant web servers as a composite.  I did not mean to specify a
>restriction which a poor httpd could never enforce by itself.  The
>following restatement would also work:
>  Authors of services which use the HTTP protocol SHOULD NOT use .....
Am I right that most if not all servers that support some kind of server 
side scripting language use GET based forms?  

Also, the different with GET and POST is where the argument list
is placed within the protocol.  Can't there be a restriction on the
referer header to exclude the argument list?  Besides, I think it 
might be helpful if an entity can specify in its response header if 
it does not like to be disclosed as a referer.


Siew Sim
StarQuest Connectivity Software
2150 Shattuck Ave. Suite 600
Berkeley, CA 94704

Received on Wednesday, 2 July 1997 11:27:38 UTC