W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1997

Re: LYNX-DEV two curiosities from IETF HTTP session.

From: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Date: Wed, 10 Dec 1997 16:58:10 -0500 (EST)
To: yarong@microsoft.com
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, lynx-dev@sig.net
Message-Id: <01IR0L7L2FEA0005K0@SCI.WFBR.EDU>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/4892
Yaron Goland <yarong@microsoft.com> wrote:
>I doubt any commercial browser will implement 305 without some very serious
>security provided to assure that the proxy asking for the one time redirect
>is going to get it. I would suggest that this problem needs to be dealt with
>in the large 305/306 context, in a stand alone spec, and that the draft
>standard for HTTP should simply state that 305 has been deprecated and
>SHOULD NOT be implemented.

	You apparently haven't yet grasped the changes Jim already has
made for 305 in Rev-01.  The 305 can *only* be sent by an origin server.
Deployed proxies will pass it through to the browser, as they do for
300, 301, 302, 303 and 307.  Josh's 305/306 draft has been dropped
from Rev-01, with expectation that he (and Ari) will generate a new,
306-only draft (complementary to a revised OPTIONS draft).  I suppose
a proxy, if already being used by the browser, could (should?) act on
the 305, and there shouldn't be a security problem with that if the
305 is to be handled always as a GET.  If unsafe methods are to be
retained with 305, instead of postponing that functionality to a new
306 proposal, then yes, it would be better to drop 305.  But 305 would
be useful if it were specified as presently in Rev-01 with the addition
of a sentence that GET always should be used, and who knows when, if
ever, the security/privacy problems with 306 will be solved.


 Foteos Macrides            Worcester Foundation for Biomedical Research
 MACRIDES@SCI.WFBR.EDU         222 Maple Avenue, Shrewsbury, MA 01545
Received on Wednesday, 10 December 1997 13:45:04 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 14:40:21 UTC