On 2012-06-04 16:42, Peter Saint-Andre wrote: > ... >>> My questions include: Is it OK if an HTTP request to somedomain.tld is >>> redirected to anotherdomain.tld? ... >> >> Why not? It happens all the time. > > Just because something happens all the time does not mean it is safe or > secure. :) > ... Cross-domain redirects happen so frequently (for instance, with any URI shortening service) that you really need to be more specific :-) >>> ... What about an HTTPS request? For the >>> latter, at what point in the secure connection request is it OK to >>> accept a redirect? Do both confidentiality and integrity need to be >>> established before it's OK to follow the redirect? Does the client need >>> to apply the same policies to anotherdomain.tld that it would have >>> applied to somedomain.tld (e.g., mandating encryption)? What server >>> identity does the client check (per RFC 2818)? Etc. >> >> If we need to describe it, the spec defining HTTPS probably would be the >> right place. > > Do you mean 2818(bis) or the security properties spec? > > In any case, I would be happy to propose text. I meant 2818bis; the security properties spec appears to be dead. Best regards, JulianReceived on Monday, 4 June 2012 18:00:38 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 4 June 2012 18:00:48 GMT