W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC issue: following HTTP redirects

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Mon, 04 Jun 2012 09:15:27 -0600
Message-ID: <4FCCD10F.4020002@stpeter.im>
To: Julian Reschke <julian.reschke@gmx.de>
CC: ietf-http-wg@w3.org
On 6/4/12 9:13 AM, Julian Reschke wrote:
> On 2012-06-04 16:42, Peter Saint-Andre wrote:
>> ...
>>>> My questions include: Is it OK if an HTTP request to somedomain.tld is
>>>> redirected to anotherdomain.tld? ...
>>>
>>> Why not? It happens all the time.
>>
>> Just because something happens all the time does not mean it is safe or
>> secure. :)
>> ...
> 
> Cross-domain redirects happen so frequently (for instance, with any URI
> shortening service) that you really need to be more specific :-)
> 
>>>> ... What about an HTTPS request? For the
>>>> latter, at what point in the secure connection request is it OK to
>>>> accept a redirect? Do both confidentiality and integrity need to be
>>>> established before it's OK to follow the redirect? Does the client need
>>>> to apply the same policies to anotherdomain.tld that it would have
>>>> applied to somedomain.tld (e.g., mandating encryption)? What server
>>>> identity does the client check (per RFC 2818)? Etc.
>>>
>>> If we need to describe it, the spec defining HTTPS probably would be the
>>> right place.
>>
>> Do you mean 2818(bis) or the security properties spec?
>>
>> In any case, I would be happy to propose text.
> 
> I meant 2818bis; the security properties spec appears to be dead.

If the 2818bis initiative starts in earnest, I shall be sure to propose
appropriate text.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/
Received on Monday, 4 June 2012 16:48:48 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 4 June 2012 16:48:56 GMT