- From: Manger, James H <James.H.Manger@team.telstra.com>
- Date: Tue, 1 Dec 2009 09:52:34 +1100
- To: Tyler Close <tyler.close@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
> The 307 redirect target resource is a good guy. The webbot and the redirect > target live behind the same firewall. The evil resource lives outside the > firewall. For the protection of the good guy resource, the webbot must > enforce the SOP, so that the redirect is not followed. This actually is covered by the HTTP spec (1.1 and HTTPbis). For instance, 8.3.8 307 Temporary Redirect says: If the 307 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. [http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-08#section-8.3.8] At the HTTP layer it is not a same-origin issue, but a wider issue with methods that are not "safe". James Manger
Received on Monday, 30 November 2009 22:53:14 UTC