W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

RE: HTTPbis and the Same Origin Policy

From: Manger, James H <James.H.Manger@team.telstra.com>
Date: Tue, 1 Dec 2009 09:52:34 +1100
To: Tyler Close <tyler.close@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <255B9BB34FB7D647A506DC292726F6E1124A7D6418@WSMSG3153V.srv.dir.telstra.com>
> The 307 redirect target resource is a good guy. The webbot and the redirect 
> target live behind the same firewall. The evil resource lives outside the 
> firewall. For the protection of the good guy resource, the webbot must 
> enforce the SOP, so that the redirect is not followed.

This actually is covered by the HTTP spec (1.1 and HTTPbis).
For instance, 8.3.8 307 Temporary Redirect says:

   If the 307 status code is received in response to a request method
   that is known to be "safe", as defined in Section 7.1.1, then the
   request MAY be automatically redirected by the user agent without
   confirmation.  Otherwise, the user agent MUST NOT automatically
   redirect the request unless it can be confirmed by the user, since
   this might change the conditions under which the request was issued.

[http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-08#section-8.3.8]

At the HTTP layer it is not a same-origin issue, but a wider issue with methods that are not "safe".


James Manger
Received on Monday, 30 November 2009 22:53:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT