[Previous] [Next] [Index]
[Thread]
Re: E-mail Address in WEB Browser
On Thu, 14 Dec 1995, Joshua Heling wrote:
> I must admit I'm surprised that netscape didn't at least do something
> like add a headerfield (X-Originated-From, for example), in cases where
> the user input name and return mail address indicated a different domain
> than they were really in.
Actually, the "From:" header is an optional part of the HTTP spec that no
browser I know chooses to send, in any fashio, with its requests. The
security reason is obvious, but it seems like it would be relatively easy
to add a "Send From header with HTTP requests" checkbox to the browser
prefs. Then HTTP_FROM would be available for server and CGI use (although
still unconfirmable).
I think Netscrape should have considered this before encouraging
everyone to use "mailto" as a form action element (in the usual
lets-screw-the-standards Netscape way).
> However, I think we're looking over perhaps the easiest was to check
> validity - the Recieved: headers on the mail. If I send mail that claims
> to be from martin@martian.org, and you examined the headers, you would
> see that the first machine it traveled through was virtu.sar.usf.edu.
> You would then see it go through a bunch of others, but almost certainly
> *neve* any machine in the martian.org domain. This makes it pretty much
> a dead giveaway.
>
> - --Joshua
>
> Addendum - I say this in the context of web mailto: forms alone,
> really. Of course for more serious or sensitive email, there's
> absolutely no replacement for strong digital signatures and/or encryption.
Ditto.
Robert Muhlestein
Teleport Creative Services
CGI-BIN Programmer
cgi@teleport.com
My comments are mine alone.
Follow-Ups:
References: