W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: User confirmation and 307 redirects

From: Adam Barth <ietf@adambarth.com>
Date: Thu, 19 Aug 2010 15:44:48 -0700
Message-ID: <AANLkTik4trrZ5rFRUdmBKSp9+0qtngSTaV1tuYnB6dVK@mail.gmail.com>
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Mark Pauley <mpauley@apple.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
On Thu, Aug 19, 2010 at 3:37 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Aug 19, 2010, at 3:20 PM, Adam Barth wrote:
>> If you think that 307 redirects are a security vulnerability, then
>> should should remove them from the protocol.  Trying to atone for the
>> security sins of the protocol by punting security to the user is
>> security theater.
>
> Using the Internet is a security vulnerability, yet there are sufficient
> trade-offs to justify it.   The same goes for redirecting an unsafe
> method if and only if the redirection has been preconfigured or
> acknowledged by the user.  How that is arranged is not defined by
> the protocol -- it is left up to the user agent developer to decide
> on their own user interface *if* they want to autoredirect an unsafe
> method.

The draft says:

[[
  Otherwise, the user agent MUST NOT automatically
  redirect the request unless it can be confirmed by the user
]]

If the user agent developer can choose whether or not to autoredirect
an unsafe method, in what sense is this requirement a MUST NOT?

Adam
Received on Thursday, 19 August 2010 22:45:43 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:24 GMT