W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Redirection of a POST as a GET

From: David Morris <dwm@xpasc.com>
Date: Thu, 8 Mar 2007 12:57:16 -0800 (PST)
To: Julian Reschke <julian.reschke@gmx.de>
cc: Adrien de Croy <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0703081216590.22800-100000@egate.xpasc.com>

Folks, it is about time we recognize that permission of the user is pure
nonsense. They choose whatever they believe will let them complete what
they are doing.

The only people who know if a redirect of a POST makes sense are the
authors of the compound web server (server and application). If my
web server has moved, it is quite reasonable to redirect a POST to the
new process. I might do it for load balancing as well... I wrote the darn
thing and won't be issuing a redirect if the request is subject to double

Demanding user permision is like writing 5 page credit card agreements in
micro font and then blaming the individual for not understanding the
obtuse language.

The protocol MUST support responsible behavior by the application

On Thu, 8 Mar 2007, Julian Reschke wrote:

> Adrien de Croy schrieb:
> >
> >
> > one thing - are there any security implications with a browser say
> > automatically resubmitting some POST data to another server based on a
> > redirect code?
> Yes. That's why 10.3
> (<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.10.3>) says:
> "The action required MAY be carried out by the user agent without
> interaction with the user if and only if the method used in the second
> request is GET or HEAD."
> (this part needs to be fixed to say "safe method" instead of "GET or HEAD").
> > ...
> Best regards, Julian
Received on Thursday, 8 March 2007 20:57:24 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:41 UTC