W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: Redirection of a POST as a GET

From: Adrien de Croy <adrien@qbik.com>
Date: Fri, 09 Mar 2007 12:13:09 +1300
Message-ID: <45F09885.8090108@qbik.com>
To: Henrik Nordstrom <henrik@henriknordstrom.net>
CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>


thanks for that.

this may be a key factor for why we are in the state we are in (i.e. why 
everyone responds to a 30x from a POST with a GET) - because it's the 
"safe and obvious" option, albeit non-conformant.

Anyone who's run Vista knows about how painful nags can get.  You can't 
do hardly anything without being prompted to make this or that decision, 
even though you just tell it to do something, it still asks for security 
clearance (even when you're an admin).

Most people just want the thing to work with as little thought and extra 
effort required as possible.

So designing requirements into the spec to prompt users for decisions is 
kinda doomed I think.  There will be strong consumer pressure to disable 
the nags, which software writers will respond to by implementing nag 
disabling options, which people will then turn on.  Alternatively there 
will be pressure brought to bear on site writers to not return 307 
responses because it generates a nag.  either way the potential benefits 
of the 307 could end up being lost, in which case....



Henrik Nordstrom wrote:
> fre 2007-03-09 klockan 00:02 +1300 skrev Adrien de Croy:
>
>   
>> I'm not sure how comfortable I would be typing my username and password 
>> into a form, and then having my browser automatically sending that 
>> information off to another site without my knowledge because the site 
>> sent back a 307.
>>     
>
> And the specs do not allow it without user confirmation.
>
> This security blanked has always been in the specs regarding automatic
> redirection, only allowing it to take place for GET/HEAD requests
> without user confirmation. Even the HTTP/1.0 specs has this security
> restriction.
>
> Regards
> Henrik
>   
Received on Thursday, 8 March 2007 23:13:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT