W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 30 Nov 2009 23:34:02 +0100 (CET)
To: Tyler Close <tyler.close@gmail.com>
cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <alpine.DEB.2.00.0911302327380.3133@tvnag.unkk.fr>
On Mon, 30 Nov 2009, Tyler Close wrote:

> The 307 redirect target resource is a good guy. The webbot and the redirect 
> target live behind the same firewall. The evil resource lives outside the 
> firewall. For the protection of the good guy resource, the webbot must 
> enforce the SOP, so that the redirect is not followed. No HTML is involved 
> in this scenario. Whose specification of the SOP is the webbot enforcing? Of 
> what assistance should libcurl be in enforcing the SOP?

Oh right. I think understand what you're saying now. You want the HTTP client 
to somehow detect that it isn't allowed to follow redirects to that target (in 
that manner) and stop because a SOP somehow says so.

How do you suggest that would be told to the client?

Couldn't the TARGET here rather use Referer (or Origin or what not) to detect 
that there's a redirect coming from externally and ignore it?

It clearly can't be HTTPbis material though, since in my eyes it seems to be a 
rather major extension or change of what HTTP is and what it allows today.

-- 

  / daniel.haxx.se
Received on Monday, 30 November 2009 22:34:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT