- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 19 Aug 2010 14:37:28 -0700
- To: Adam Barth <ietf@adambarth.com>
- Cc: Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
On Aug 19, 2010, at 2:10 PM, Adam Barth wrote: > On Thu, Aug 19, 2010 at 2:06 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >> It isn't a feature. It is a security constraint. The fact that some >> browsers have security holes is well known. > > It's completely ineffective as a security mechanism. At best, all it > could do is result in blame-the-user security, which isn't security at > all. Please think about it for a while before you try to convince me that a DELETE on any website on the planet should be able to result in an automatic DELETE being redirected to any other website on the planet, or your local intranet. Likewise for PUT, POST, etc. There is no compelling need for auto-redirect for an unsafe method. If you can't figure out a safe way that your "user" (an entity which varies substantially based on the type of HTTP client being used) can approve of the redirect, then the safe choice is to not redirect the request. Your concerns about the ugliness of such a dialog are not relevant to the requirement as written in the spec, and it simply wouldn't matter if every single browser implemented it wrong: browsers make up only a small percentage of HTTP client vendors. ....Roy
Received on Thursday, 19 August 2010 21:37:58 UTC