W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

Re: 305 Use proxy

From: David W. Morris <dwm@xpasc.com>
Date: Wed, 19 Mar 1997 16:51:29 -0800 (PST)
To: Josh <josh@netscape.com>
Cc: "Roy T. Fielding" <fielding@kiwi.ICS.UCI.EDU>, http-wg@cuckoo.hpl.hp.com
Message-Id: <Pine.SOL.3.95.970319164609.26025D-100000@shell1.aimnet.com>


On Wed, 19 Mar 1997, Josh wrote:

> > Roy said
> > > Josh said
> > 
> > >Suggested rules:
> > >Origin servers may NOT send 305, only proxies may send them.
> > 
> > Nope.  The original intended purpose of 305 is to allow an origin server
> > to prevent access unless it goes through the appropriate proxy.
> > 
> I agree that an origin server based redirect is a good idea,
> and although I cant quickly come up with a case for it which
> couldnt acheive the same results by other means, I think
> this functionality is worthwhile.  However, from a security
> standpoint I think its hard to implement.

I'm missing a point somewhere ... why do you think there is a greater
security issue with an origin server specifing a proxy redirect than
a proxy doing it? My sense is that the converse is true. Since the
redirect is hop-hop, it seems like the origin server would be at least
as trusted as any proxy in terms of telling a user where to get resources
logically owned by the origin server.

Dave Morris
Received on Wednesday, 19 March 1997 16:55:26 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:32 EDT