form security stuff

Dirk Mueller mueller at kde.org
Fri Apr 18 19:58:55 CEST 2003 

On Fre, 18 Apr 2003, Darin Adler wrote:

> The code that implements the rest of this feature is in KWQ. You might 
> want to implement a similar feature for Konqueror.

Ok, it seems this is the DOM tree caching vs "page caching" which confuses··
me. It makes sense that you can't cache pages in the DOM tree which contain
passwords (because otherwise they would reappear upon <Back>).

BTW, I'd love to move the DOM tree caching into the khtml common codebase,··
as it is a long-wanted feature for Konqueror.

bool KWQKHTMLPart::canCachePage()
{
    // Only save page state if:
    // 1.  We're not a frame or frameset.
    // 2.  The page has no unload handler.
    // 3.  The page has no password fields.
    if (d->m_doc &&
        (d->m_frames.count() ||
        parentPart() ||
        d->m_doc->getWindowEventListener (EventImpl::UNLOAD_EVENT) ||
        d->m_doc->hasPasswordField())) {
        return false;
    }
    return true;
}

This is about DOM tree cache, right? Why do you still cache the page when it
has a HTML Cookie set? Why do you cache the page when it contains a https 
form ?

> Like WinIE, we now don't save anything on a page that includes a secure 
> form or a password field. I don't just mean that we don't store the 
> user-entered input, but rather that we don't store these pages in the 
> cache at all. That's because such pages often contain information about 
> the user, not just typed into the fields but in the default values and 
> outside the form itself.

Interesting, I haven't observed this behaviour yet. Does this mean that IE 
*always* refetches the page which contains a password field or a https form 
from the network, even when the user just goes "backwards" in the browsing 
history?

I remember that Antti and I tested this and it seemed to us that WinIE 
never refetches pages during going back/forward for performance reasons.. 
Maybe we indeed missed this case. I'll check. 

> We did have some debate about this (I remember a note from Maciej 
> saying, "The Win IE behavior seems like overkill to me.") but in the 
> end we decided to emulate WinIE in this respect.

Yes, wise decision :-)


-- 
Dirk

More information about the Khtml-devel mailing list