This page is part of the web mail archives of SRFI 59 from before July 7th, 2015. The new archives for SRFI 59 are here. Eventually, the entire history will be moved there, including any new messages.
On Mon, 10 Jan 2005, Per Bothner wrote: >felix winkelmann wrote: > >> - It should be apparent that generalizing this all to URIs brings with it >> some security issues > >I don't see this. I can see trouble if a Bad Guy gets an >application to look for a resource using a bad URI. But how is this >different from getting an application to look for the resource using >a bad local path? It's different because it allows the user to be tracked and logged from a remote machine without their knowledge. Since Microsoft's subversion of SMTP to send HTML, it's become fairly common for people spying on users to embed things in their mail that generate an HTTP request whenever the mail is displayed, so they can keep track of the people they've sent stuff to. I think this is pernicious. One step further and you'll see house robbers waiting until their server verifies that the owner is at the office reading email.... In security applications, I want guarantees that a program is *NOT* accessing the network. Bear