W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: User confirmation and 307 redirects

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 19 Aug 2010 14:37:28 -0700
Cc: Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
Message-Id: <772149FB-BE46-4DA0-8A10-E492377EDC30@gbiv.com>
To: Adam Barth <ietf@adambarth.com>
On Aug 19, 2010, at 2:10 PM, Adam Barth wrote:

> On Thu, Aug 19, 2010 at 2:06 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> It isn't a feature.  It is a security constraint.  The fact that some
>> browsers have security holes is well known.
> 
> It's completely ineffective as a security mechanism.  At best, all it
> could do is result in blame-the-user security, which isn't security at
> all.

Please think about it for a while before you try to convince me that a
DELETE on any website on the planet should be able to result in an automatic
DELETE being redirected to any other website on the planet, or your
local intranet.  Likewise for PUT, POST, etc.

There is no compelling need for auto-redirect for an unsafe method.
If you can't figure out a safe way that your "user" (an entity which
varies substantially based on the type of HTTP client being used)
can approve of the redirect, then the safe choice is to not redirect
the request.  Your concerns about the ugliness of such a dialog are
not relevant to the requirement as written in the spec, and it simply
wouldn't matter if every single browser implemented it wrong:
browsers make up only a small percentage of HTTP client vendors.

....Roy
Received on Thursday, 19 August 2010 21:37:58 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT