- From: Eric J Bowman <mellowmutt@zoho.com>
- Date: Wed, 14 Jul 2021 14:48:25 -0700
- To: "Watson Ladd" <watsonbladd@gmail.com>
- Cc: "ietf-http-wg" <ietf-http-wg@w3.org>
Received on Wednesday, 14 July 2021 21:48:45 UTC
---- On Wed, 14 Jul 2021 14:03:02 -0700 Watson Ladd <mailto:watsonbladd@gmail.com> wrote ---- ... As far as I could tell post parameters are not covered by a signature, and thus are vulnerable to modification. Modifying posted form data could be very problematic. It's fine if out of scope, but feels like it should be included to be useful, especially given that form data can interact with URL query parameters. ... Pardon my antiquated beliefs and terminology, but... POST parameters are just an URL and it's up to Layer 7 to validate URLs. They're meant to be modified, some folks call it a Web API. IMO, "message signature" applies to a payload not an URL. Feature not bug. -Eric
Received on Wednesday, 14 July 2021 21:48:45 UTC