Re: 3 Proposals: session ID, business-card auth, customer auth

William Perry (wmperry@spry.com)
Tue, 18 Jul 95 06:47 PDT


Daniel DuBois writes:

> In fact, if we are going to design browsers that allow the user the
> *option* of following the business card auth scheme, we might as well
> design browsers to allow the user the *option* of sending out the 'From:'
> field, and, if a server really wanted to, it could alter its output based
> on whether or not a From: field exists.

Some browsers do exactly that already. Emacs-w3 and I think one other,
can't remember right now, allow you to selectively turn off the sending of
various parts of the HTTP/1.0 request, including Referer, From, and certain
information about the operating system you are running on in the User-Agent
field.

The HTTP/1.0 specification actually encourages this behaviour (or used
to, haven't read the new spec in about 3 weeks) in its addendum about
security and privacy related issues.

-Bill P.