This document contains internet security issues.  Discussion of security 
issues should be directed to kfm-devel@kde.org. 

Note to KDE-developers: When adding entries to this document, provide name, 
date and additional URLs.


Malicious Redirects
===================
Entry By: Waldo Bastian <bastian@kde.org>
Created: May 9th, 2000 
See also: http://lwn.net/2000/features/Redirect.phtml
          http://www.zope.org/Members/jim/ZopeSecurity/ClientSideTrojan

I advice the following:

* We should never allow a redirect from a HTTP to any other protocol, including 
  HTTPS. (OK. The current implementation does not allow redirects to other 
  protocols)

* We should provide a HTTP referer header iff the referer is on the same host
as the requested object. (We currently don't support referer headers)

* Either a) Don't allow POST or GET actions from javascript.
  or b) _Always_ ask the user for confirmation when javascript requests a 
        POST or GET action.
  Additional note: Simple requests for e.g. images are also GET actions, 
  disabling them would break a lot of javascript scripts.
