W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 30 Nov 2009 22:00:26 +0100 (CET)
To: Tyler Close <tyler.close@gmail.com>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <alpine.DEB.2.00.0911302157330.5931@tvnag.unkk.fr>
On Mon, 30 Nov 2009, Tyler Close wrote:

>> An API such as libcurl (http://curl.haxx.se/libcurl/) doesn't contain any 
>> such restrictions, or does it?
>
> If you use libcurl to send a PUT request and the target resource responds 
> with a 307, which libcurl then automatically follows

libcurl only "automatically" follows that if the app told it to act like that. 
It follows no redirects by default. I know that's not the topic here but I 
thought I'd clarify.

> Consider a webbot that sends a PUT request to a resource on the open 
> Internet, which responds with a 307 to a resource behind the same firewall 
> as the webbot. The webbot has essentially punched a hole in the firewall.

If a server does that I would consider that server/page to be a security 
problem or flaw. Even evil guys can run webbots I believe.

-- 

  / daniel.haxx.se
Received on Monday, 30 November 2009 21:01:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT