Re: Security in HTTP and caches

Henrik Frystyk Nielsen (frystyk@ptsun00.cern.ch)
Thu, 3 Nov 94 12:26:41 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chris Lilley, Computer Graphics Unit: "Re: An MGET proposal for HTTP"
Previous message: H&kon W Lie: "HTML style sheets"
Maybe in reply to: Nick Williams: "Security in HTTP and caches"
Next in thread: Simon E Spero: "Re: Security in HTTP and caches"

> > (a) the client should always fills in the from field (if nothing else,
> > with "nobody"@current-domain-name).
>
> The great public fiercely disagrees having their email address
> automatically sent -- it's a privacy issue, and I so wouldn't enforce
> the From field.
>
> > (2) Allow servers to use host based authentication based on From address
> > rather than socket-peer address.
>
> >From field is much easier forge than peer address, even a newbie could
> do it.

The From: field is a service field used for: 'if you want to contact me
then use this address'. For this reason it _should_ be very easy to change
but at the same time it should not be used for anything else.

-- cheers --

Henrik

Next message: Chris Lilley, Computer Graphics Unit: "Re: An MGET proposal for HTTP"
Previous message: H&kon W Lie: "HTML style sheets"
Maybe in reply to: Nick Williams: "Security in HTTP and caches"
Next in thread: Simon E Spero: "Re: Security in HTTP and caches"