W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 07 Feb 2012 17:07:59 +0100
Message-ID: <4F314C5F.40009@gmx.de>
To: Anne van Kesteren <annevk@opera.com>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2012-02-07 16:49, Anne van Kesteren wrote:
> On Tue, 07 Feb 2012 16:14:43 +0100, Julian Reschke
> <julian.reschke@gmx.de> wrote:
>> 1) Remove the statements from 301/302/307.
>>
>> 2) In a single place, explain the risks of automatically redirecting
>> when the new request method is unsafe. Note this applies to *any* kind
>> of following redirects, including future ones (such as 308).
>>
>> Not sure about where to put the text for 2); does this belong into the
>> description of 3xx or into the Security Considerations?
>
> Can you explain to me the scenario for 2? In particular how a redirect
> makes this more dangerous than just performing the request directly.

The redirect might go to a resource that the user didn't ask to modify.

Consider an XHR PUT being redirected to a different server, or to a 
different resource on the same server.

Yes, unsafe requests are ... unsafe, and thus need to be executed 
carefully. This consideration is about clients that follow the redirect 
automatically, and don't leave the control to whoever initiated the request.

Best regards, Julian
Received on Tuesday, 7 February 2012 16:11:21 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT