[Zope] URLs expose information which we'd like to hide
Jean-Francois.Doyon at CCRS.NRCan.gc.ca
Jean-Francois.Doyon at CCRS.NRCan.gc.ca
Wed Feb 4 15:27:28 EST 2004
Not to mention that if the originator of the link is a web page, the
information is in the html code, even if using a post.
Otherwise, in Zope, using GET or POST works equally well. Unless you do
something really special, you can actually switch between using one or the
other without changing code or anything else.
J.F.
-----Original Message-----
From: zope-bounces at zope.org [mailto:zope-bounces at zope.org]On Behalf Of
Jamie Heilman
Sent: Wednesday, February 04, 2004 3:23 PM
To: zope at zope.org
Subject: Re: [Zope] URLs expose information which we'd like to hide
Dennis Allison wrote:
> The parameters passed by GET and, to a lesser extent, the URLs themselves,
> represent a security issue in one of our systems.
What does that mean? Why do you think its a security issue?
> A partial solution would be to make POST not GET the standard for
> parameter transmital. Has anyone tried this? I suspect there are all
> sorts of hidden gotchas.
Using POST to send query params instead of GET is trivial. The only
gotchas are that using very few browsers handle redirecting POST
transactions correctly. This doesn't have anything to do with
security though.
--
Jamie Heilman http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle
into a lion's mouth and flicking his lovespuds with a wet towel, pure
insanity..." -Rimmer
_______________________________________________
Zope maillist - Zope at zope.org
http://mail.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://mail.zope.org/mailman/listinfo/zope-announce
http://mail.zope.org/mailman/listinfo/zope-dev )
More information about the Zope
mailing list