W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: User confirmation and 307 redirects

From: Adam Barth <ietf@adambarth.com>
Date: Thu, 19 Aug 2010 15:44:48 -0700
Message-ID: <AANLkTik4trrZ5rFRUdmBKSp9+0qtngSTaV1tuYnB6dVK@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Pauley <mpauley@apple.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
On Thu, Aug 19, 2010 at 3:37 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Aug 19, 2010, at 3:20 PM, Adam Barth wrote:
>> If you think that 307 redirects are a security vulnerability, then
>> should should remove them from the protocol.  Trying to atone for the
>> security sins of the protocol by punting security to the user is
>> security theater.
> Using the Internet is a security vulnerability, yet there are sufficient
> trade-offs to justify it.   The same goes for redirecting an unsafe
> method if and only if the redirection has been preconfigured or
> acknowledged by the user.  How that is arranged is not defined by
> the protocol -- it is left up to the user agent developer to decide
> on their own user interface *if* they want to autoredirect an unsafe
> method.

The draft says:

  Otherwise, the user agent MUST NOT automatically
  redirect the request unless it can be confirmed by the user

If the user agent developer can choose whether or not to autoredirect
an unsafe method, in what sense is this requirement a MUST NOT?

Received on Thursday, 19 August 2010 22:45:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:54 UTC