W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Redirection of a POST as a GET

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 08 Mar 2007 23:56:29 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1173394589.4320.45.camel@henriknordstrom.net>
fre 2007-03-09 klockan 00:02 +1300 skrev Adrien de Croy:

> I'm not sure how comfortable I would be typing my username and password 
> into a form, and then having my browser automatically sending that 
> information off to another site without my knowledge because the site 
> sent back a 307.

And the specs do not allow it without user confirmation.

This security blanked has always been in the specs regarding automatic
redirection, only allowing it to take place for GET/HEAD requests
without user confirmation. Even the HTTP/1.0 specs has this security
restriction.

Regards
Henrik

Received on Thursday, 8 March 2007 22:56:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT