- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Fri, 01 Jun 2012 15:02:16 -0600
- To: ietf-http-wg@w3.org
Dear HTTPBIS WG: Please correct me if I'm wrong, but it appears that the HTTP specifications [1] don't say anything about the circumstances under which an HTTP client ought to, or ought not to, follow a redirect (such as we defined for XMPP in RFC 6120 [2]). My questions include: Is it OK if an HTTP request to somedomain.tld is redirected to anotherdomain.tld? What about an HTTPS request? For the latter, at what point in the secure connection request is it OK to accept a redirect? Do both confidentiality and integrity need to be established before it's OK to follow the redirect? Does the client need to apply the same policies to anotherdomain.tld that it would have applied to somedomain.tld (e.g., mandating encryption)? What server identity does the client check (per RFC 2818)? Etc. As I said, perhaps these matters are described somewhere and I missed them; if so, a pointer would be appreciated. Thanks! Peter [1] I checked RFC 2616, RFC 2818, draft-ietf-httpbis-p1-messaging-19, draft-ietf-httpbis-p2-semantics-19, and draft-ietf-httpbis-security-properties-05 [2] http://tools.ietf.org/html/rfc6120#section-4.9.3.19
Received on Friday, 1 June 2012 21:02:47 UTC