5.3 Remote files with third-party transfer
In some scenarios, the user operating the form software might want to
specify a URL for remote data rather than a local file. In this case,
is there a way to allow the browser to send to the client a pointer
to the external data rather than the entire contents? This capability
could be implemented, for example, by having the client send to the
server data of type "message/external-body" with "access-type" set
to, say, "uri", and the URL of the remote data in the body of the
message.
5.4 Non-ASCII field names
Note that MIME headers are generally required to consist only of 7-
bit data in the US-ASCII character set. Hence field names should be
encoded according to the method in RFC 2047 if they contain
characters outside of that set.
RFC 2388 multipart/form-data August 1998
5.5 Ordered fields and duplicated field names
The relationship of the ordering of fields within a form and the
ordering of returned values within "multipart/form-data" is not
defined by this specification, nor is the handling of the case where
a form has multiple fields with the same name. While HTML-based forms
may send back results in the order received, and intermediaries
should not reorder the results, there are some systems which might
not define a natural order for form fields.
5.6 Interoperability with web applications
Many web applications use the "application/x-url-encoded" method for
returning data from forms. This format is quite compact, e.g.:
name=Xavier+Xantico&verdict=Yes&colour=Blue&happy=sad&Utf%F6r=Send
however, there is no opportunity to label the enclosed data with
content type, apply a charset, or use other encoding mechanisms.
Many form-interpreting programs (primarly web browsers) now implement
and generate multipart/form-data, but an existing application might
need to optionally support both the application/x-url-encoded format
as well.
5.7 Correlating form data with the original form
This specification provides no specific mechanism by which
multipart/form-data can be associated with the form that caused it to
be transmitted. This separation is intentional; many different forms
might be used for transmitting the same data. In practice,
applications may supply a specific form processing resource (in HTML,
the ACTION attribute in a FORM tag) for each different form.
Alternatively, data about the form might be encoded in a "hidden
field" (a field which is part of the form but which has a fixed value
to be transmitted back to the form-data processor.)
6. Security Considerations
The data format described in this document introduces no new security
considerations outside of those introduced by the protocols that use
it and of the component elements. It is important when interpreting
content-disposition to not overwrite files in the recipients address
space inadvertently.
User applications that request form information from users must be
careful not to cause a user to send information to the requestor or a
third party unwillingly or unwittingly. For example, a form might
RFC 2388 multipart/form-data August 1998
request 'spam' information to be sent to an unintended third party,
or private information to be sent to someone that the user might not
actually intend. While this is primarily an issue for the
representation and interpretation of forms themselves, rather than
the data representation of the result of form transmission, the
transportation of private information must be done in a way that does
not expose it to unwanted prying.
With the introduction of form-data that can reasonably send back the
content of files from user's file space, the possibility that a user
might be sent an automated script that fills out a form and then
sends the user's local file to another address arises. Thus,
additional caution is required when executing automated scripting
where form-data might include user's files.
=3= |
