- From: Mike Schinkel <mikeschinkel@gmail.com>
- Date: Thu, 8 Mar 2007 16:32:26 -0500
- To: "'David Morris'" <dwm@xpasc.com>, "'Adrien de Croy'" <adrien@qbik.com>
- Cc: <ietf-http-wg@w3.org>
David Morris > If you have a trust relationship with the original server, > you darn well better beable to trust what that server does > with your data ... and in my mind, that extends to trusting > that server to not redirect to an untrusted server. > > In any case, if this data is sensitive, you should make sure > it is sent in an SSL protected session and it seems VERY > reasonable to not allow the scheme to change in a redirect > ... certainly not a down grade in security level. > > Telling the average user there is a concern isn't worth the effort. I was going to say essentially the same, but since you already did I'll just +1. Also, as a user, I myself would get pissed if I had to fill out a login form twice and be mad at the website, not realizing it was the specification's fault. -- -Mike Schinkel http://www.mikeschinkel.com/blogs/ http://www.welldesignedurls.org http://atlanta-web.org - http://t.oolicio.us
Received on Thursday, 8 March 2007 21:33:09 UTC