- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Fri, 6 May 2005 12:08:42 -0700
- To: Graham Klyne <GK@ninebynine.org>
- Cc: www-tag@w3.org
On May 5, 2005, at 10:58 AM, Graham Klyne wrote: > Quite separately, I today came across a posting on ACM RISKS forum > 23.73 that points out a security concern... "The RISK is obvious: > allowing untrusted URL redirects in this case will fool many more > people". The full message is below. I don't know if this is causes a > problem for the proposed approach, but it seems to be an issue worth > considering. No, that issue is just simple bone-headed deployment in their webspace of an ISAPI DLL that accepts commands as query data. Someone is exploiting that huge security hole to create a cross-site scripting attack. It does not impact the value of normal redirects wherein the destination is provided by the server config (not the client). ....Roy
Received on Friday, 6 May 2005 19:08:51 UTC