[1287] in WWW Security List Archive
Re: SECURITY ALERT: Password protection bug in Netscape 2.0b3
daemon@ATHENA.MIT.EDU (Dave Dittrich)
Wed Dec 20 15:22:12 1995
From: Dave Dittrich <dittrich@cac.washington.edu>
To: jsw@netscape.com (Jeff Weinstein)
Date: Wed, 20 Dec 1995 09:50:51 -0800 (PST)
Cc: www-security@ns1.rutgers.edu, wwilson@umich.edu
In-Reply-To: <30D7C293.12BD@netscape.com> from "Jeff Weinstein" at Dec 20, 95 00:00:19 am
Errors-To: owner-www-security@ns2.rutgers.edu
> ...
> If a content provider does not want their pages cached, they
> can send the 'Pragma: no-cache' http header.
> --Jeff
>
> --
> Jeff Weinstein - Electronic Munitions Specialist
> Netscape Communication Corporation
> jsw@netscape.com - http://home.netscape.com/people/jsw
> Any opinions expressed above are mine.
Can anyone provide a list of which servers actually allow one to do
this without going so far as to wrap everything in CGI scripts?
According to the HTML 2.0 DTD:
HTTP servers may read the content of the document <HEAD> to generate
header fields corresponding to any elements defining a value for the
attribute HTTP-EQUIV.
NOTE
The method by which the server extracts document meta-information
is unspecified and not mandatory. The <META> element only provides
an extensible mechanism for identifying and embedding document
meta-information -- how it may be used is up to the individual
server implementation and the HTML user agent.
I tried using the META tag to get the server (NCSA httpd 1.4) to
include this tag and the document always shows up in the Netscape 1.12
cache. Is NCSA httpd one of the servers that doesn't support this?
Which ones do?
Here is the HTML file contents:
<HTML>
<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<TITLE>Foo</TITLE>
</HEAD>
<BODY>
<H1>foo</H1>
</BODY>
</HTML>
Am I missing something here?
--
Dave Dittrich Client Services, Computing & Communications
dittrich@cac.washington.edu University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu</a>
