W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #328: user Intervention on Redirects

From: Julian Reschke <julian.reschke@gmx.de>
Date: Tue, 07 Feb 2012 18:21:54 +0100
Message-ID: <4F315DB2.1020804@gmx.de>
To: Chris Weber <chris@lookout.net>
CC: Martin Thomson <martin.thomson@gmail.com>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2012-02-07 18:10, Chris Weber wrote:
> On 2/7/2012 8:38 AM, Martin Thomson wrote:
>> I don't see the problem. So I ask to modify X, but then X points me to
>> Y, so I either automatically modify Y, or require confirmation before
>> doing so. There isn't a security problem. X has the information and
>> could forward to Y itself.
>
> Within the security community the issue has been termed "Open Redirect"
> and has been well documented here
> http://cwe.mitre.org/data/definitions/601.html and here
> https://www.owasp.org/index.php/Top_10_2010-A10-Unvalidated_Redirects_and_Forwards
> as well as other places.  It's not a vulnerability by itself but has
 > ...

Clarifying: "Open" means that the target of the redirect actually 
depends on something the request contains, such as a query parameter, right?
Received on Tuesday, 7 February 2012 17:25:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT