W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

RE: Redirection of a POST as a GET

From: David Morris <dwm@xpasc.com>
Date: Thu, 8 Mar 2007 13:51:32 -0800 (PST)
To: Eric Lawrence <ericlaw@exchange.microsoft.com>
cc: Adrien de Croy <adrien@qbik.com>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-ID: <Pine.LNX.4.33.0703081344470.22800-100000@egate.xpasc.com>


I agree ... that is perhaps a very well known special case which deserves
some form of distinguishing design ... perhaps a special redirect code
which would mean temporary change of security level for authentication.

In then end, I only want user choice required when they have a chance
of understanding the significance of the choice.

On Thu, 8 Mar 2007, Eric Lawrence wrote:

>
> << it seems VERY reasonable to not allow the
> scheme to change in a redirect ... certainly not a down grade in security
> level.>>
>
> Even here there's likely to be a problem.  A common pattern for web-based
> logins is to send credentials to a HTTPS page, and that returns a
> redirect with a Set-Cookie header containing an authenticated token.
> The redirected page is very often a HTTP page, and hence would trigger
> the warning in your model.
>
> -Eric
>
> -----Original Message-----
> From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of David Morris
> Sent: Thursday, March 08, 2007 1:12 PM
> To: Adrien de Croy
> Cc: ietf-http-wg@w3.org Group
> Subject: Re: Redirection of a POST as a GET
>
>
>
> If you have a trust relationship with the original server, you darn well
> better beable to trust what that server does with your data ... and in my
> mind, that extends to trusting that server to not redirect to an untrusted
> server.
>
> In any case, if this data is sensitive, you should make sure it is sent in
> an SSL protected session and it seems VERY reasonable to not allow the
> scheme to change in a redirect ... certainly not a down grade in security
> level.
>
> Telling the average user there is a concern isn't worth the effort.
^>
Received on Thursday, 8 March 2007 21:51:44 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT