- From: David Morris <dwm@xpasc.com>
- Date: Thu, 8 Mar 2007 12:57:16 -0800 (PST)
- To: Julian Reschke <julian.reschke@gmx.de>
- cc: Adrien de Croy <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Folks, it is about time we recognize that permission of the user is pure nonsense. They choose whatever they believe will let them complete what they are doing. The only people who know if a redirect of a POST makes sense are the authors of the compound web server (server and application). If my web server has moved, it is quite reasonable to redirect a POST to the new process. I might do it for load balancing as well... I wrote the darn thing and won't be issuing a redirect if the request is subject to double jeopardy. Demanding user permision is like writing 5 page credit card agreements in micro font and then blaming the individual for not understanding the obtuse language. The protocol MUST support responsible behavior by the application developers. On Thu, 8 Mar 2007, Julian Reschke wrote: > > Adrien de Croy schrieb: > > > > > > one thing - are there any security implications with a browser say > > automatically resubmitting some POST data to another server based on a > > redirect code? > > Yes. That's why 10.3 > (<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.10.3>) says: > > "The action required MAY be carried out by the user agent without > interaction with the user if and only if the method used in the second > request is GET or HEAD." > > (this part needs to be fixed to say "safe method" instead of "GET or HEAD"). > > > ... > > Best regards, Julian >
Received on Thursday, 8 March 2007 20:57:24 UTC