[1255] in WWW Security List Archive
Re: E-mail Address in WEB Browser
daemon@ATHENA.MIT.EDU (Larry Masinter)
Mon Dec 18 02:20:01 1995
To: mogens@mjosa.stanford.edu
CC: robertm@teleport.com, heling@virtu.sar.usf.edu,
www-security@ns2.rutgers.edu
In-reply-to: Christian Mogensen's message of Thu, 14 Dec 1995 15:32:26 -0800 <199512142332.PAA19199@Mjosa.Stanford.EDU>
From: Larry Masinter <masinter@parc.xerox.com>
Date: Sun, 17 Dec 1995 21:01:36 PST
Errors-To: owner-www-security@ns2.rutgers.edu
> Actually, there is nothing that says a FORM result must be submitted
> through a HTTP request. Using <FORM ACTION="mailto:..."> is perfectly
> legal HTML, since mailto:... is a well defined URL. On the other
> hand there is nothing that guarantees it will work either.
RFC 1867, Form-based File Upload in HTML, defines a new media type
(multipart/form-data) which is more appropriate for return of form
information in mail than application/x-www-form-urlencoded.
It's not clear to me why the security considerations for forms
returned by mail and forms returned by HTTP are very different.
One of the (several) reasons RFC 1867 is classified as 'experimental'
is that the 'Security Considerations' section was considered weak. If
you have suggestions on what other security considerations should be,
I'd like to hear them.
