Feature Proposal: Restricting %HTTP{...}% not to yield certain header fields

Motivation

Cookie values should not be retrievable by %HTTP{COOKIE}% because they may have sensitive information such as login session identity. This is the case with %HTTPS{COOKIE}%

Description and Documentation

HTTP header fields specified by {HTTP}{HiddenFields} (comma separated list) as follows would become unavailable. Just like %HTTP{...}%'s parameter, {HTTP}{HiddenFields} value is case insensitive and dash/underscore agnostic.

$TWiki::cfg{HTTP}{HiddenFields} = 'cookie';

Examples

Impact

Implementation

-- Contributors: HideyoImazu - 2012-11-01

Discussion

This makes sense. The cookie header could even be set by default.

As for name, we already have a standard for {VARIABLE}{SomeStuff}, so I recommend something like {HTTP}{HiddenFields}.

-- PeterThoeny - 2012-11-01

I agree with {HTTP}{HiddenFields} and I reflected it above.

I agree that cookie should be in {HTTP}{HiddenFields} by default.

-- HideyoImazu - 2012-11-02

TWiki already uses comma-space separated lists and regex filters. A regex filter might be overkill for this feature, but if you do reflect it in the name, such as {HTTP}{HeaderFieldFilter}.

If you use {HTTP}{HiddenFields} as proposed I recommend to implement and document this as a comma (+ optional space) separated list.

-- PeterThoeny - 2012-11-02

Accepted by 7 day review period at JerusalemReleaseMeeting2012x11x09.

-- PeterThoeny - 2012-11-09

Reflected Peter's suggestion at the Description and Documentation section.

%HTTPS{...}% in addition to %HTTP{...}% needs to be taken care of, which is reflected above.

-- HideyoImazu - 2012-12-26