W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: User confirmation and 307 redirects

From: Roy T. Fielding <fielding@gbiv.com>
Date: Thu, 19 Aug 2010 15:37:18 -0700
Cc: Mark Pauley <mpauley@apple.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
Message-Id: <5F44AE20-FCB9-437B-BE9E-B904714F8807@gbiv.com>
To: Adam Barth <ietf@adambarth.com>
On Aug 19, 2010, at 3:20 PM, Adam Barth wrote:
> If you think that 307 redirects are a security vulnerability, then
> should should remove them from the protocol.  Trying to atone for the
> security sins of the protocol by punting security to the user is
> security theater.

Using the Internet is a security vulnerability, yet there are sufficient
trade-offs to justify it.   The same goes for redirecting an unsafe
method if and only if the redirection has been preconfigured or
acknowledged by the user.  How that is arranged is not defined by
the protocol -- it is left up to the user agent developer to decide
on their own user interface *if* they want to autoredirect an unsafe
method.

I don't care if you think all users are idiots.  They are responsible
for their own use of the Internet.  The user agent is responsible for
showing/configuring what decisions need to be made by the user.  HTTP
is only responsible for ensuring that the protocol expresses what the
user has decided, and to do that correctly it has to constrain the
automatic redirection of unsafe methods unless or until that decision
is made by the user.

....Roy
Received on Thursday, 19 August 2010 22:37:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT