Malthe Borch wrote: > 2009/5/12 Tres Seaver <tsea...@palladion.com>: >> The server side wouldn't know that: the presence of such a field in the >> request is completely independent of any form (e.g., cookies passed long >> after logging in). > > I understand the issue, but shouldn't the remedy be to avoid ever > displaying request data in a public view?
I wonder who would put credentials in clear text into the request and then display the request itself? The HTTP_AUTHORIZATION key is taken out of the request environment immediately to avoid it being ever shown. For such a low level HTTP feature I can understand this as a reasonable responsibility of the request. But dealing with arbitrary data in the request and guessing that something including passw is probably going to contain credentials seems just awkward. If I name my variable auth, credentials or "Kennung" or whatever else in a different language this thing is not going to help me. Hanno _______________________________________________ Repoze-dev mailing list Repoze-dev@lists.repoze.org http://lists.repoze.org/listinfo/repoze-dev