W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Redirection of a POST as a GET

From: Julian Reschke <julian.reschke@gmx.de>
Date: Thu, 08 Mar 2007 22:42:38 +0100
Message-ID: <45F0834E.30805@gmx.de>
To: Mike Schinkel <mikeschinkel@gmail.com>
CC: 'David Morris' <dwm@xpasc.com>, 'Adrien de Croy' <adrien@qbik.com>, ietf-http-wg@w3.org

Mike Schinkel schrieb:
> David Morris
>> If you have a trust relationship with the original server, 
>> you darn well better beable to trust what that server does 
>> with your data ... and in my mind, that extends to trusting 
>> that server to not redirect to an untrusted server.
>>
>> In any case, if this data is sensitive, you should make sure 
>> it is sent in an SSL protected session and it seems VERY 
>> reasonable to not allow the scheme to change in a redirect 
>> ... certainly not a down grade in security level.
>>
>> Telling the average user there is a concern isn't worth the effort.
> 
> I was going to say essentially the same, but since you already did I'll just
> +1.
> 
> Also, as a user, I myself would get pissed if I had to fill out a login form
> twice and be mad at the website, not realizing it was the specification's
> fault.

Well.

If a server redirects POST request from /a to /b *on the same server*, 
blame the server. It could easily let the request on /a succeed, or 
shouldn't have exposed /a in the first place. You know, Cool URIs Do Not 
Change.

Best regards, Julian
Received on Thursday, 8 March 2007 21:43:02 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT