W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 07 Feb 2012 17:12:00 +1300
Message-ID: <4F30A490.10100@treenet.co.nz>
To: ietf-http-wg@w3.org
On 7/02/2012 1:10 p.m., Martin Thomson wrote:
> On 6 February 2012 15:55, Mark Nottingham wrote:
>> I'm now wondering if we should consider removing this requirement altogether.
> Remove it.  I imagine that the original idea was that you might want
> to prevent a server that from getting you to pass your secrets to some
> other server.  Or that it might do a bait and switch.
>
> In a world with clickjacking, this sort of measure just seems naive.
>

Clickjacking as a whole is still very much relevant to this redirection 
capability.
BUT, given that the client UA is where the redirect is done anyway makes 
little sense to prohibit it entirely.

IMO move it from the protocol spec to the security threat model as 
instruction that UA should take care before following redirects 
automatically.

AYJ
Received on Tuesday, 7 February 2012 04:15:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT