W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 07 Feb 2012 16:49:08 +0100
To: "Mark Nottingham" <mnot@mnot.net>, "Julian Reschke" <julian.reschke@gmx.de>
Cc: "HTTP Working Group" <ietf-http-wg@w3.org>
Message-ID: <op.v9bfj6fw64w2qv@annevk-macbookpro.local>
On Tue, 07 Feb 2012 16:14:43 +0100, Julian Reschke <julian.reschke@gmx.de>  
wrote:
> 1) Remove the statements from 301/302/307.
>
> 2) In a single place, explain the risks of automatically redirecting  
> when the new request method is unsafe. Note this applies to *any* kind  
> of following redirects, including future ones (such as 308).
>
> Not sure about where to put the text for 2); does this belong into the  
> description of 3xx or into the Security Considerations?

Can you explain to me the scenario for 2? In particular how a redirect  
makes this more dangerous than just performing the request directly.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 7 February 2012 15:52:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT