W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: HTTPbis and the Same Origin Policy

From: Joe Gregorio <joe@bitworking.org>
Date: Tue, 1 Dec 2009 10:00:22 -0500
Message-ID: <a23d87fa0912010700gd6be076jb75140ebc4460e67@mail.gmail.com>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
Cc: Tyler Close <tyler.close@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Nov 30, 2009 at 5:52 PM, Manger, James H
<James.H.Manger@team.telstra.com> wrote:
>> The 307 redirect target resource is a good guy. The webbot and the redirect
>> target live behind the same firewall. The evil resource lives outside the
>> firewall. For the protection of the good guy resource, the webbot must
>> enforce the SOP, so that the redirect is not followed.
>
> This actually is covered by the HTTP spec (1.1 and HTTPbis).
> For instance, 8.3.8 307 Temporary Redirect says:
>
>   If the 307 status code is received in response to a request method
>   that is known to be "safe", as defined in Section 7.1.1, then the
>   request MAY be automatically redirected by the user agent without
>   confirmation.  Otherwise, the user agent MUST NOT automatically
>   redirect the request unless it can be confirmed by the user, since
>   this might change the conditions under which the request was issued.
>
> [http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-08#section-8.3.8]
>
> At the HTTP layer it is not a same-origin issue, but a wider issue with methods that are not "safe".

I've covered these scenarios in httplib2 with the .folllow_redirects
and .follow_all_redirects options:

   http://httplib2.googlecode.com/hg/doc/html/libhttplib2.html#httplib2.Http.follow_redirects

Tyler, are you asking for HTTP client libraries to provide something
more comprehensive than that?

   Thanks,
   -joe

>
>
> James Manger
>
Received on Tuesday, 1 December 2009 15:01:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:13 GMT