W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

RE: Redirection of a POST as a GET

From: Mike Schinkel <mikeschinkel@gmail.com>
Date: Thu, 8 Mar 2007 16:32:26 -0500
To: "'David Morris'" <dwm@xpasc.com>, "'Adrien de Croy'" <adrien@qbik.com>
Cc: <ietf-http-wg@w3.org>
Message-ID: <01fa01c761c9$52375ff0$0702a8c0@Guides.local>

David Morris
> If you have a trust relationship with the original server, 
> you darn well better beable to trust what that server does 
> with your data ... and in my mind, that extends to trusting 
> that server to not redirect to an untrusted server.
> 
> In any case, if this data is sensitive, you should make sure 
> it is sent in an SSL protected session and it seems VERY 
> reasonable to not allow the scheme to change in a redirect 
> ... certainly not a down grade in security level.
> 
> Telling the average user there is a concern isn't worth the effort.

I was going to say essentially the same, but since you already did I'll just
+1.

Also, as a user, I myself would get pissed if I had to fill out a login form
twice and be mad at the website, not realizing it was the specification's
fault.

-- 
-Mike Schinkel
http://www.mikeschinkel.com/blogs/
http://www.welldesignedurls.org
http://atlanta-web.org - http://t.oolicio.us
Received on Thursday, 8 March 2007 21:33:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT