- From: Brian Behlendorf <brian@organic.com>
- Date: Wed, 30 Aug 1995 17:08:46 -0700 (PDT)
- To: Shel Kaphan <sjk@amazon.com>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Wed, 30 Aug 1995, Shel Kaphan wrote: > Proposals for additional language in the HTTP 1.1 spec. > > In section 8.19: > > To address the security hole that Larry Masinter recognized: > > "If a Location response header is returned with a 2xx response, > the location must be on the same server as the request-URI. > If a cache or user agent receives a 2xx response containing a Location > response header with a location on a different server, it should > disregard the Location header." This assumes "server" is a contiguous authority - not true, there are many servers out there where one group putting pages might be antagonistic to another group on the same server. Brian --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-- brian@organic.com brian@hyperreal.com http://www.[hyperreal,organic].com/
Received on Wednesday, 30 August 1995 17:27:36 UTC