- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Mon, 04 Jun 2012 09:15:27 -0600
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: ietf-http-wg@w3.org
On 6/4/12 9:13 AM, Julian Reschke wrote: > On 2012-06-04 16:42, Peter Saint-Andre wrote: >> ... >>>> My questions include: Is it OK if an HTTP request to somedomain.tld is >>>> redirected to anotherdomain.tld? ... >>> >>> Why not? It happens all the time. >> >> Just because something happens all the time does not mean it is safe or >> secure. :) >> ... > > Cross-domain redirects happen so frequently (for instance, with any URI > shortening service) that you really need to be more specific :-) > >>>> ... What about an HTTPS request? For the >>>> latter, at what point in the secure connection request is it OK to >>>> accept a redirect? Do both confidentiality and integrity need to be >>>> established before it's OK to follow the redirect? Does the client need >>>> to apply the same policies to anotherdomain.tld that it would have >>>> applied to somedomain.tld (e.g., mandating encryption)? What server >>>> identity does the client check (per RFC 2818)? Etc. >>> >>> If we need to describe it, the spec defining HTTPS probably would be the >>> right place. >> >> Do you mean 2818(bis) or the security properties spec? >> >> In any case, I would be happy to propose text. > > I meant 2818bis; the security properties spec appears to be dead. If the 2818bis initiative starts in earnest, I shall be sure to propose appropriate text. Peter -- Peter Saint-Andre https://stpeter.im/
Received on Monday, 4 June 2012 16:48:48 UTC