W3C home > Mailing lists > Public > www-talk@w3.org > January to February 2010

Question about redirects and browser address bar

From: Jonathan Rees <jar@creativecommons.org>
Date: Fri, 12 Feb 2010 17:44:39 -0500
Message-ID: <760bcb2a1002121444l7c1cf99ap6f1d47f776dc5e9c@mail.gmail.com>
To: www-talk@w3.org
Dear www-talkers,

When browsing to URI A leads to a 307 or 302 redirect to URI B, all
browsers show B in the "address bar", not A.  This might be seen to be
in contradiction to RFC 2616 "Since the redirection might be altered
on occasion, the client SHOULD continue to use the Request-URI for
future requests" and is in contradiction with the advice in the W3C
"Common User Agent Problems" note
http://www.w3.org/TR/2001/NOTE-cuap-20010206.  I don't want to dispute
whether browser behavior is correct, but I am trying to research the
reasons, especially historical ones, why it is considered correct.
Specifically I'm looking for

1. anything in the historical record on this topic, especially a
browser author saying "we did it this way because ..."
2. specific cases where there has been, or could have been, a real
security problem

or lacking these:

3. specific description of what a threat would be (not just a general
statement about phishing or whatever) with an account of server and
user psychology
4. pointers to places I might go to continue research

Perhaps #2 doesn't exist, if browsers that showed A instead of B were
never deployed; I don't know.

I'm already aware of Mozilla bug #68423, which I find uninformative.

Thanks for any help.

Best
Jonathan
Received on Friday, 12 February 2010 22:45:11 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:31 GMT