From dev-return-78912-apmail-cocoon-dev-archive=cocoon.apache.org@cocoon.apache.org Sun Oct 02 22:54:09 2005 Return-Path: Delivered-To: apmail-cocoon-dev-archive@www.apache.org Received: (qmail 8923 invoked from network); 2 Oct 2005 22:54:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 2 Oct 2005 22:54:08 -0000 Received: (qmail 98378 invoked by uid 500); 2 Oct 2005 22:54:02 -0000 Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org Received: (qmail 98259 invoked by uid 500); 2 Oct 2005 22:54:01 -0000 Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@cocoon.apache.org List-Id: Delivered-To: mailing list dev@cocoon.apache.org Received: (qmail 98228 invoked by uid 99); 2 Oct 2005 22:54:01 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Oct 2005 15:54:01 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [62.140.213.100] (HELO blossom.betaversion.org) (62.140.213.100) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 02 Oct 2005 15:54:05 -0700 Received: by blossom.betaversion.org (Postfix, from userid 101) id CF16831E439; Sun, 2 Oct 2005 23:15:00 +0100 (BST) X-AntiVirus-Version: ClamAV 0.87/1107 X-AntiSpam-Version: SpamAssassin 3.0.4 X-AntiSpam-Status: No (score=-2.8/limit=7.5) X-AntiSpam-Rules: all_trusted Received: from [192.168.72.100] (unknown [62.140.203.188]) by blossom.betaversion.org (Postfix) with ESMTP id 1A12E31E435 for ; Sun, 2 Oct 2005 23:15:00 +0100 (BST) Mime-Version: 1.0 (Apple Message framework v734) In-Reply-To: <43405C8C.8000904@apache.org> References: <07e701c5c424$d5d9e1a0$0600000a@john> <37A85658-20E7-49E6-9660-17A8E9DBCC25@betaversion.org> <43405C8C.8000904@apache.org> Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-5--337436808; protocol="application/pkcs7-signature" Message-Id: <7162A576-DBD8-4A71-93D6-5F6DFD842DBD@betaversion.org> From: Pier Fumagalli Subject: Re: [jetty-discuss] Microsoft IE7 compromise of session security Date: Sun, 2 Oct 2005 23:53:38 +0100 To: dev@cocoon.apache.org X-Mailer: Apple Mail (2.734) X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N --Apple-Mail-5--337436808 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On 2 Oct 2005, at 23:17, Sylvain Wallez wrote: > Pier Fumagalli wrote: > >> I found this on the Jetty list, and thought it was relevant as in >> the examples we tend to encode the continuation ID into the URL... >> >> This is f***ing scary!!! > > Yep. And doesn't the same already happen with the Google toolbar, > which certainly send the URL to Google to have the page rank? Same > applies also to the PageRank Firefox extension... I don't know the Google Toolbar (I don't use it), but methinks that at least our samples should show another way, and explain why continuation IDs are not encoded in the URI... Pier --Apple-Mail-5--337436808 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGQDCCAvkw ggJioAMCAQICAw3YwzANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhh d3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIElzc3VpbmcgQ0EwHhcNMDUwMTE5MjI1MDE2WhcNMDYwMTE5MjI1MDE2WjBGMR8wHQYDVQQD ExZUaGF3dGUgRnJlZW1haWwgTWVtYmVyMSMwIQYJKoZIhvcNAQkBFhRwaWVyQGJldGF2ZXJzaW9u Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOh1FBIq8IGak01gJA5+vzr2KS3u GR82BNM7M29VYTpalEyGm94xX4qRsFRxpmey+92cgdTbzg+THXwb7Ctodnar1VV2W7TKMlEV6T3F KFFE3/NJ7OYQWy9RmnMmu9VUfZLacIGjgWnPM/e8EDuxHm41khNzf8LgxdWZ5dge1gcuBRs8EI+V JxzBaHXuiMVyowmuozo0Nm9j2MjukV1orDwQcI7muue2doKlts8e5SB7Kg+Vz6k80+f1WqiFa2HW Uv1JKNG0YbSns2HMTXw+xk9bBxvIMuryXhPmmyHvlHYW+4+sgE4WFbcsY8zuTSPc5mmvtzsA4OKC z5uUXQ3V9qECAwEAAaNVMFMwDwYDVR0PAQH/BAUDAwf5gDARBglghkgBhvhCAQEEBAMCBaAwHwYD VR0RBBgwFoEUcGllckBiZXRhdmVyc2lvbi5vcmcwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQF AAOBgQAyoSIzTWWd8DkYUuYKN/kdvJwIqfNtqUoeJ5RSCcOiXO7tIgPWKIzYeJKYv5HIlsHbsaL5 uVwRpUrHT+IbDHtx/VpOMlumKE3/14fvPX0XEWDQ+5G8+LDQodTWBwIscidcj4xTbbhFZ6DWmUJR cfpwmMGEkRvT+RaYxYcgpBGMpTCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAwgdExCzAJ BgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEaMBgG A1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMg RGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3 DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0wMzA3MTcwMDAwMDBaFw0xMzA3 MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5 KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9 fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfArhVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+ uxg+B79AgAJk16emu59l0cUqVIUPSAR/p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMB Af8ECDAGAQH/AgEAMEMGA1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3 dGVQZXJzb25hbEZyZWVtYWlsQ0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgG A1UEAxMRUHJpdmF0ZUxhYmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcP f6+svsIXoUOWlJ1/TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH 2ydxVyWN3amcOY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8x ggLnMIIC4wIBATBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQID DdjDMAkGBSsOAwIaBQCgggFTMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkF MQ8XDTA1MTAwMjIyNTMzOFowIwYJKoZIhvcNAQkEMRYEFO6PtJZdaUiEVQ7zGJ3aYfeyuUarMHgG CSsGAQQBgjcQBDFrMGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5n IChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB AgMN2MMwegYLKoZIhvcNAQkQAgsxa6BpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg SXNzdWluZyBDQQIDDdjDMA0GCSqGSIb3DQEBAQUABIIBAIknbAUutR9eJlUKJ4KPJF8DkZcosu5q 4T5bzWdBnY3k4/tFTVqfpQtSNXcu5QTc1ROL73s1AZSARMOp5mMo+YiHfkkTh0MyISw060zgjT9J PJX94IJWrsf31aKXbV5yJbvicuhn9zBf7pYZgpVQUP+5y7LVAIFeWJ0uC+xeu6D0me0S8qWhtDYJ 1P3t6siiaUw6NQ/DSh33EmQEIyhRMiWQ+tY4oqFW6mDan8i+UUhHIIqYeVMt89kDkVfzZWQU/G+Q qlT1+pbaMdsJy7cIypDgj2RZfesI59T3a4EpJbFPhpavv9EjPD7t9bvdLQGCvpw/twhIDZcp2o34 xtPn+UcAAAAAAAA= --Apple-Mail-5--337436808--