W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

WGLC issue: following HTTP redirects

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Fri, 01 Jun 2012 15:02:16 -0600
Message-ID: <4FC92DD8.40401@stpeter.im>
To: ietf-http-wg@w3.org
Dear HTTPBIS WG:

Please correct me if I'm wrong, but it appears that the HTTP
specifications [1] don't say anything about the circumstances under
which an HTTP client ought to, or ought not to, follow a redirect (such
as we defined for XMPP in RFC 6120 [2]).

My questions include: Is it OK if an HTTP request to somedomain.tld is
redirected to anotherdomain.tld? What about an HTTPS request? For the
latter, at what point in the secure connection request is it OK to
accept a redirect? Do both confidentiality and integrity need to be
established before it's OK to follow the redirect? Does the client need
to apply the same policies to anotherdomain.tld that it would have
applied to somedomain.tld (e.g., mandating encryption)? What server
identity does the client check (per RFC 2818)? Etc.

As I said, perhaps these matters are described somewhere and I missed
them; if so, a pointer would be appreciated.

Thanks!

Peter

[1] I checked RFC 2616, RFC 2818, draft-ietf-httpbis-p1-messaging-19,
draft-ietf-httpbis-p2-semantics-19, and
draft-ietf-httpbis-security-properties-05

[2] http://tools.ietf.org/html/rfc6120#section-4.9.3.19
Received on Friday, 1 June 2012 21:02:47 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 1 June 2012 21:02:53 GMT