<<< Date Index >>>     <<< Thread Index >>>

Re: RFC2368 security considerations



On 2005-06-12 18:46:44 +0200, Thomas Roessler wrote:
> One thing we could do is to restrict the headers accepted from a
> mailto URL to those shown on the compose screen, maybe even minus
> From.  Everything else could either be disregarded, or maybe have
> "x-mailto-url" prepended to it.

An x-mailto-url header would be a security hole as such a URL could
be a private one (i.e. on a private page, such as on an intranet or
after authentication) and contain sensitive information (e.g. Bcc
addresses).

-- 
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <http://www.vinc17.org/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.org/blog/>
Work: CR INRIA - computer arithmetic / SPACES project at LORIA