- From: Daniel Stenberg <daniel@haxx.se>
- Date: Thu, 3 Dec 2009 08:36:54 +0100 (CET)
- To: Tyler Close <tyler.close@gmail.com>
- cc: Joe Gregorio <joe@bitworking.org>, "Manger, James H" <James.H.Manger@team.telstra.com>, public-web-security@w3.org
On Wed, 2 Dec 2009, Tyler Close wrote:
(ietf-http-wg removed from the CC list)
> """
> The SOP rule is something like: Don't follow a cross-domain redirect
> of a PUT request, unless the redirect target has opted out of SOP
> protection.
>
> So, upon seeing the 307 redirect, libcurl would report an error if the
> origin of the Request-URI does not match the origin of the URL in the
> Location header; otherwise, the redirect is followed. Until there's a
> standard way for a resource to opt out of SOP, that's the best that
> can be done.
> """
Won't this get the user into the publicsuffix problem basically? I mean, if my
company has two vhosts under a single domain, shouldn't they be perferctly
possible to redirect back and forth between each other?
foo.example.com redirecting a POST to bar.example.com
That's quite different than foo.com redirecting to bar.com. But just as with
cookies, we can't really tell the difference just by looking at the names - as
the names don't reveal the topology.
--
/ daniel.haxx.se
Received on Thursday, 3 December 2009 07:37:40 UTC