- From: Nicolas Mailhot <nicolas.mailhot@laposte.net>
- Date: Sun, 19 Feb 2012 11:22:52 +0100
- To: squid3@treenet.co.nz
- Cc: ietf-http-wg@w3.org
Amos Jeffries writes:
> On 19/02/2012 7:56 a.m., Nicolas Mailhot wrote:
> > (I don't remember the CVE numbers, but every
> > major browser stopped honoring those redirects at about the same time) . So
>
> Ah, that restricted to 302, 300 and unknown 3xx redirects AFAIK, which
> are unsafe or difficult to allow safe auto-redirect for.
Yes, I totally understand the CVE logic, however this change broke most
authenticated proxy setups (and now that enterprises are finally retiring or
replacing ie6 they are stuck)
> Most of the hacks on the wikipedia page are involved with getting the
> packets to the portals proxy software without making the browser aware
> that it exists. Simple proxy auto-configuration avoids all of these
> hacks. They all happen long before HTTP gets a byte in edgewise.
This part does not require browser configuration, and proxy autoconfiguration
can be challenging on a huge corporate network. The main problem right now is
getting browser cooperation to display the authentication form.
> How do you propose HTTP spec updates to solve "users who first use an
> email client or other will find the connection not working without
> explanation"? This being the problem which covers intercepted port 443
> packets for HTTPS portal.
I don't have any bright idea there. Though if people continue migrating to
webmail, that will eventually be academic.
> > I'd really like the working group to define such a standard method. It
> > wouldn't be complex or difficult to implement in browsers, and it would solve
> > many actual problems now.
>
> Do you mean a mechanism like the status 303 (See Other), 305 (Use Proxy)
> and 511 (Network Authentication Required)?
511 is exactly what I need. I was not aware of it. Is it simplemented in any
browser yet? Where should I point the browser writers to get it implemented?
http://tools.ietf.org/id/draft-nottingham-http-new-status-04.txt ?
(except for the part where 511 generates a certificate error)
> Notice how 302 is not in that list despite Wikipedia noting that most
> portals use 302.
Most portals use 302, Bluecoat uses 307, and everyone is getting blocked by
browsers.
305 is useless for my needs as long as the RFC states that:
Note: RFC 2068 was not clear that 305 was intended to redirect a
single request, and to be generated by origin servers only. Not
observing these limitations has significant security consequences.
Anyway, 511 is much cleaner
> That would seem to be one part of the underlying
> problem. The other part being browsers defaulting to disable WPAD
> support (needed for 303 to work) or treating 303 as 302 including those
> security protections.
The RFC does state:
Note: Many pre-HTTP/1.1 user agents do not understand the 303
status. When interoperability with such clients is a concern, the
302 status code may be used instead
Thank you for your help!
BTW : it would be nice if 7.3.6. 7.3.7. 7.4.8. referenced the error 511 (and
if error 511 description included the proxy keyword) or people won't find it.
--
Nicolas Mailhot
Received on Sunday, 19 February 2012 10:23:37 UTC