W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC issue: following HTTP redirects

From: Peter Saint-Andre <stpeter@stpeter.im>
Date: Mon, 04 Jun 2012 08:42:12 -0600
Message-ID: <4FCCC944.5050008@stpeter.im>
To: Julian Reschke <julian.reschke@gmx.de>
CC: ietf-http-wg@w3.org
On 6/2/12 3:54 AM, Julian Reschke wrote:
> On 2012-06-01 23:02, Peter Saint-Andre wrote:
>> Please correct me if I'm wrong, but it appears that the HTTP
>> specifications [1] don't say anything about the circumstances under
>> which an HTTP client ought to, or ought not to, follow a redirect (such
>> as we defined for XMPP in RFC 6120 [2]).
> It does say a few things about what to consider when following redirects
> to unsafe methods; but that's it.
> In general, the spec describes format and semantics of HTTP messages and
> doesn't try to describe what to do with them.
>> My questions include: Is it OK if an HTTP request to somedomain.tld is
>> redirected to anotherdomain.tld? ...
> Why not? It happens all the time.

Just because something happens all the time does not mean it is safe or
secure. :)

>> ... What about an HTTPS request? For the
>> latter, at what point in the secure connection request is it OK to
>> accept a redirect? Do both confidentiality and integrity need to be
>> established before it's OK to follow the redirect? Does the client need
>> to apply the same policies to anotherdomain.tld that it would have
>> applied to somedomain.tld (e.g., mandating encryption)? What server
>> identity does the client check (per RFC 2818)? Etc.
> If we need to describe it, the spec defining HTTPS probably would be the
> right place.

Do you mean 2818(bis) or the security properties spec?

In any case, I would be happy to propose text.


Peter Saint-Andre
Received on Monday, 4 June 2012 17:16:38 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:02 UTC