[4503] in WWW Security List Archive
Re:Question about User Identity (CGI scripting)
daemon@ATHENA.MIT.EDU (Aymeric Grassart)
Wed Feb 19 16:52:05 1997
Date: Wed, 19 Feb 1997 14:01:18 -0600
To: daver@idiom.com (David Ray), www-security@ns2.rutgers.edu
From: Aymeric Grassart <aymeric@onShore.com>
Cc: Jim Harmon <jim@telecnnct.com>
Errors-To: owner-www-security@ns2.rutgers.edu
At 12:02 AM 2/19/97 -0800, David Ray wrote:
>
>
>At 12:34 PM 2/18/97, Jim Harmon wrote:
>> [snip]
>>
>> Without getting into login scripts for our IntraNet, is there a way for
>> me to capture the user's real account name via his/her browser? ...
>> Is there a way to include or discover that information in the CGI
>> Script?
>
>Years ago, some of the early browsers like Mosaic sent this information in
the $REMOTE_USER environment variable, but it was considered a violation of
privacy among users and this feature was dropped from all browsers since then.
>
>In fact, when JavaScript hackers found a way to capture the user's email
address through JavaScript, Netscape considered it to be a bug in the
browser and fixed it so that the email address could no longe be captured.
That's not exactly true. You can still call navigator.userAgent. But
Netscape won't let you submit a form with a mailto:email@domain.com as the
action without giving you a notice that you are about to let javascript to
send an email using your email address and therefore letting the recipient
to get you email address....
ccamel.
>
>-Dave
>
>
>
>
