W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1995

Re: Location Proposals

From: Brian Behlendorf <brian@organic.com>
Date: Wed, 30 Aug 1995 17:08:46 -0700 (PDT)
To: Shel Kaphan <sjk@amazon.com>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <Pine.SGI.3.91.950830170638.541P-100000@fully.organic.com>
On Wed, 30 Aug 1995, Shel Kaphan wrote:
> Proposals for additional language in the HTTP 1.1 spec.
> 
> In section 8.19:
> 
> To address the security hole that Larry Masinter recognized:
> 
> 	"If a Location response header is returned with a 2xx response,
> 	the location must be on the same server as the request-URI.
> 	If a cache or user agent receives a 2xx response containing a Location
> 	response header with a location on a different server, it should
> 	disregard the Location header."

This assumes "server" is a contiguous authority - not true, there are many
servers out there where one group putting pages might be antagonistic to
another group on the same server.  

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/
Received on Wednesday, 30 August 1995 17:27:36 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:31:27 EDT