W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 1997

Re: GET and referer security considerations

From: Koen Holtman <koen@win.tue.nl>
Date: Fri, 4 Jul 1997 21:27:40 +0200 (MET DST)
Message-Id: <199707041927.VAA01038@wsooti08.win.tue.nl>
To: Siew Sim <siew.sim@starquest.com>
Cc: http-wg@cuckoo.hpl.hp.com
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/3658 
Siew Sim:
>
[....]
>
>Also, the different with GET and POST is where the argument list
>is placed within the protocol.  Can't there be a restriction on the
>referer header to exclude the argument list?

There could be requirements on chopping off the argument list, but this
does not solve the security problem, because legacy 1.0 user agents
would not chop things off when making a referer header.

Also, the GET URL would still get logged, with its argument list, in
the history databases or log files of legacy 1.0 user agents, proxies,
and origin servers.

The only road to security on this is advising people to use POST based
forms.

>Siew

Koen.
Received on Friday, 4 July 1997 12:31:32 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:02 UTC