W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 7 Feb 2012 08:38:04 -0800
Message-ID: <CABkgnnXt6seg=fAyMS04RhZ=CyFr4uUg9K7mnEq4NAcoVi+ORQ@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 7 February 2012 08:07, Julian Reschke <julian.reschke@gmx.de> wrote:
> The redirect might go to a resource that the user didn't ask to modify.

I don't see the problem.  So I ask to modify X, but then X points me
to Y, so I either automatically modify Y, or require confirmation
before doing so.

There isn't a security problem.  X has the information and could
forward to Y itself.

The only concern is over intent.  Whether the intent of the client
extends to permitting a server to direct their request.

I know that curl has a command line option for this behaviour, but it
most clients don't have the luxury of millions of options.  So when
you have to pick an option, choose the one that doesn't require a
dialog box.

Ultimately, this is between you and your client.  A specification
shouldn't really need to say anything about (though we might make an
exception for a security issue).

--Martin
Received on Tuesday, 7 February 2012 16:42:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT