W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

found equivocal mozilla discussion of location bar + 307

From: Jonathan Rees <jar@creativecommons.org>
Date: Thu, 4 Feb 2010 11:39:14 -0500
Message-ID: <760bcb2a1002040839l729a9099v901277c5cdc7c1ff@mail.gmail.com>
To: www-tag@w3.org
This is a checkin regarding ACTION-348 "Research reasons why browser
providers (e.g. Mozilla) aren't willing to meet requests (e.g. from
purl) to retain address bar URL following successful redirect"

I can't say my research is done, but I did find the following

https://bugzilla.mozilla.org/show_bug.cgi?id=68423

initiated by a W3C note complaining about the location bar problem in 2001:

http://www.w3.org/TR/2001/NOTE-cuap-20010206#protocols

The discussion on that thread sort of peters out, with some people
saying "follow what 2616 says, it's not only right but useful" and
others saying "that would be awful, it would be a nasty security
hole", i.e. it's not very informative. As far as I can tell the bug is
still open, so no decision has been reached (i.e. the current behavior
will continue).

I've found various vague references to 307-related threats, all of the
form http://trustysite.com/path doing a 307 redirect to
http://attacker.com/anotherpath. This can happen if trustysite
provides a redirection service to its users, or if there's a
redirection script that can be tricked by passing in parameters
specifying the attacker's site. In any case, the risk relies on a user
treating a page as "trustworthy" merely by virtue of being labeled, in
the browser UI, with a URI that begins with the domain name of a
"trusted" site. I think the authors of 2616 would probably say that's
a bug in the server or the user or both.

I'm focusing on 307 instead of 302 because 302 has the additional
complication that it has in the past been used sometimes in the 303
sense and sometimes in the 307 sense. That is an extraneous issue.

My research continues; I have yet to find adequate documentation of
these threats, or a record of any statement or complaint from OCLC on
the matter, but am looking. Any tips are welcome.

Jonathan
Received on Thursday, 4 February 2010 16:39:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT