Re: HTML 2.0 LAST CALL: Security words

David - Morris (dwm@shell.portal.com)
Fri, 2 Jun 95 20:00:39 EDT

On Thu, 1 Jun 1995, Daniel W. Connolly wrote:

> In message <Pine.SUN.3.90.950601103934.12939D-100000@jobe.shell.portal.com>, Da
> vid - Morris writes:
> >
> >1. The http server log file which logs the GET request
>
> Clearly an HTTP security consideration, not HTML.

None of the security considerations are HTML, but rather the
consequences of certain HTML usage within the environment.
I discovered this issue at a client with a very competant security
guru who hadn't noticed.

>
> >2. The URL display field(s) provided my many user agents
>
> Since when are URLs so sensitive that the user should't know the
> address of the document s/he's looking at?

My concern is not the user, but rather someone who is looking
over the user's shoulder as the user leads a tour. Less concern,
but still an issue is the user who leaves an active browser
unattended with one of the local history documents having an
'address' which includes private information.

>
> > Information providers should also be aware that some current user
> > agents ignore the METHOD=POST specification and hence subject
> > all sensitive information to the above risk.
>
> Blech. Do they really? I don't want to put this in the spec. If
> somebody feels strongly that it should be included, let me know.

I perceive that the latest versions of the common UAs are now
correct. I've raised the issue but don't fee strongly.

The one observation I'd close with is that I believe security is
such an important issue that it is better to err on the side of
excessive warning.

Dave Morris