W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Redirection of a POST as a GET

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 08 Mar 2007 13:15:15 +0100
Message-ID: <45EFFE53.9060709@gmx.de>
To: Adrien de Croy <adrien@qbik.com>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>

Adrien de Croy schrieb:
> 
> 
> one thing - are there any security implications with a browser say 
> automatically resubmitting some POST data to another server based on a 
> redirect code?

Yes. That's why 10.3 
(<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.10.3>) says:

"The action required MAY be carried out by the user agent without 
interaction with the user if and only if the method used in the second 
request is GET or HEAD."

(this part needs to be fixed to say "safe method" instead of "GET or HEAD").

> ...

Best regards, Julian
Received on Thursday, 8 March 2007 12:15:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT