Re: LYNX-DEV two curiosities from IETF HTTP session.

Paul Leach <paulle@microsoft.com> wrote:
>> ----------
>> From: 	jg@pa.dec.com[SMTP:jg@pa.dec.com]
>> Sent: 	Wednesday, December 10, 1997 4:48 PM
>> 
><snip>
>
>> I think you are confused....  In Rev-01, only an origin server is allowed
>> to generate a 305 response.  It is authoritative for that resource, so
>> the spoofing problems don't come up (and is the reason for that text being
>> in the document...)
>> 
>And exactly how can the browser tell that it was the origin server that sent
>the 305? And not the untrustworthy proxy in between the client and the
>server?
>
>I know that normally one trusts one's proxy, but since security issues are
>being raised here, the question needs to be asked.

	That's not a problem for the Lynx implementation because it
will show the body instead of acting on the 305 if it already is using
a proxy, on the assumption that the UA which receives it from the origin
server should act on it, and that can't be the browser if it already
is using a proxy (plus, the browser's current proxy may be obligatory
for a firewall).  Also note, as was raised in the recent discussion,
that if a proxy acts on it, you need a GET-only requirement, because a
POST should not be redirected without confirmation by the human user of
the browser.

	But this all seems academic upon reading the statement in the
recently posted minutes of the IETF meeting that to be retained in the
Draft Standard there must be two independent implementations, because
there is only one.  So I guess it's indeed bye bye 305. (i.e., put it
off with 306 to a new draft :)

				Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 MACRIDES@SCI.WFBR.EDU         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================

Received on Thursday, 11 December 1997 20:18:52 UTC