Re: Meta element to prevent resending post data

On Sat, Jan 28, 2012 at 9:25 PM, Benjamin Hawkes-Lewis <
bhawkeslewis@googlemail.com> wrote:

> 2012/1/27 Samuel Santos <samaxes@gmail.com>:
> >> * History navigation (Back button) should always read POSTed pages from
> >> cache, even if pages had Cache-Control: no-cache set (this is
> >> RFC-compliant). This way there is no unexpected resubmission happening
> >> automatically, and—unless user forces browser to clear the cache—there
> is no
> >> need to ask any questions or switch to GET.
> >
> >
> > That should not work with HTTPS.
>
> Says what?
>
> > If it does, it's a serious security issue.
>
> How so?
>

SSL+no-cache is just like no-store for purposes of history code. And
unfortunately, that behavior is needed to make existing bank sites secure
(in the "someone who walks up to the computer after you click the logout
link can't just go back through history to the site").


>
> --
> Benjamin Hawkes-Lewis
>

--
Samuel Santos
http://www.samaxes.com/

Received on Saturday, 28 January 2012 23:30:07 UTC