W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: User confirmation and 307 redirects

From: Mark Pauley <mpauley@apple.com>
Date: Thu, 19 Aug 2010 14:27:31 -0700
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
Message-Id: <5830D947-D738-4EA9-A740-81FE1018BBD1@apple.com>
To: Adam Barth <ietf@adambarth.com>
I agree, if a 3rd party can send you a redirect, they probably have your bytes too.  TLS is the only mechanism I can think of that can beat this threat and TLS makes the UI confirmation unnecessary, because we've already established that we trust the endpoint enough to send them our sensitive data.


On Aug 19, 2010, at 2:10 PM, Adam Barth wrote:

> On Thu, Aug 19, 2010 at 2:06 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> It isn't a feature.  It is a security constraint.  The fact that some
>> browsers have security holes is well known.
> 
> It's completely ineffective as a security mechanism.  At best, all it
> could do is result in blame-the-user security, which isn't security at
> all.
> 
> Adam
> 
Received on Thursday, 19 August 2010 21:28:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT