> Get is mostly OK with the correct headers to stop referrer leakage.
Those work in new-ish browsers only. Referrer is only one GET leakage vector.
> Fragment should only be used with real JS clients in the browser and not
> with servers.
Fragment behavior is very different in modern browser
>From a interoperability perspective accepting both is best.
Get is mostly OK with the correct headers to stop referer leakage.
Fragment should only be used with real JS clients in the browser and not
with servers.
That is the general direction of the new security advice.
People wanting to use P
> The _*safest*_ thing for a client is to accept both.
I politely (and strongly) disagree with this statement. The safest thing
for a client is to only accept POST or other verbs where any kind of
sensitive data is NOT kept in the URL. Sensitive data in URL's leak like
a sieve, even over HTTPS.
