[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: caching of form posts in netscape (was:(none))



Lucky Green wrote:
> 
> Yes, Netscape caches passwords.
> 
> [ forwarded message from sfnb deleted ]

  The problem is that form post data was being used as part of the database
key for storing and accessing form posts in our cache.  The current
work around for this problem is to use the 'pragma: no-cache' HTTP header.

  I just sat down with the responsible engineer and helped him fix this.
The fix will be in our next beta (marketing name of Atlas Preview Release 2,
user-agent of Mozilla/3.0b3).

  This next beta will also include several other security/privacy related
features/preferences:

	1) Preference to enable sending of email address for anon ftp password.
	   The 2.0 release always sends "mozilla@" as the anon ftp password, to
	   protect the privacy of our users.  We are now giving the user the
	   ability to enable sending of their e-mail address if they choose.

	2) Warning dialog on "mailto:" form posts.  The user will be warned
	   that the form submission is via e-mail and will be given the
	   opportunity to cancel the operation.  The warning can be turned
	   off via a preference.

	3) There will be an option to enable/disable disk caching of documents
	   retrieved over an SSL connection.  The current (2.01) behaviour
	   is to always cache such documents in the absence of the
	   "Pragma: no-cache" header.  The new option will default to not
	   caching SSL-fetched documents, but will allow the user to enable
	   caching if they desire.  This option will not effect caching
	   of documents retrieve in the clear via un-encrypted http (which
	   can be disabled by turning off the disk cache).

	4) Dialog for cookie acceptance.  There will be an option to enable
	   a dialog that will be displayed whenever you are sent an HTTP cookie.
	   This dialog will allow you to discard the cookie.

	5) You will be able to disable/enable SSL2 and SSL3, and the specific
	   cipher-suites.  For example, if you use the US-domestic version of
	   the navigator, you can turn off the export ciphers to ensure that
	   you never send any data over SSL using 40-bit secret keys.

  I look forward to any feedback people may have on these new options once the
new beta is out.  Sorry, but I can't tell you the exact date yet...

	--Jeff

-- 
Jeff Weinstein - Electronic Munitions Specialist
Netscape Communication Corporation
[email protected] - http://home.netscape.com/people/jsw
Any opinions expressed above are mine.