Feature Proposal: Restricting %HTTP{...}% not to yield certain header fields

Motivation

Cookie values should not be retrievable by %HTTP{COOKIE}% because they may have sensitive information such as login session identity. This is the case with %HTTPS{COOKIE}%

Description and Documentation

HTTP header fields specified by {HTTP}{HiddenFields} (comma separated list) as follows would become unavailable. Just like %HTTP{...}%'s parameter, {HTTP}{HiddenFields} value is case insensitive and dash/underscore agnostic.

$TWiki::cfg{HTTP}{HiddenFields} = 'cookie';

Examples

Impact

Implementation

-- Contributors: HideyoImazu - 2012年11月01日

Discussion

This makes sense. The cookie header could even be set by default.

As for name, we already have a standard for {VARIABLE}{SomeStuff}, so I recommend something like {HTTP}{HiddenFields}.

-- PeterThoeny - 2012年11月01日

I agree with {HTTP}{HiddenFields} and I reflected it above.

I agree that cookie should be in {HTTP}{HiddenFields} by default.

-- HideyoImazu - 2012年11月02日

TWiki already uses comma-space separated lists and regex filters. A regex filter might be overkill for this feature, but if you do reflect it in the name, such as {HTTP}{HeaderFieldFilter}.

If you use {HTTP}{HiddenFields} as proposed I recommend to implement and document this as a comma (+ optional space) separated list.

-- PeterThoeny - 2012年11月02日

Accepted by 7 day review period at JerusalemReleaseMeeting2012x11x09.

-- PeterThoeny - 2012年11月09日

Reflected Peter's suggestion at the Description and Documentation section.

%HTTPS{...}% in addition to %HTTP{...}% needs to be taken care of, which is reflected above.

-- HideyoImazu - 2012年12月26日

Edit | Attach | (削除) Watch (削除ここまで) | Print version | History : r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2013年02月18日 - HideyoImazu
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.

AltStyle によって変換されたページ (->オリジナル) /