Re: Location, URI-header, etc. from Balint Nagy Endre on 1995-09-02 (ietf-http-wg@w3.org from July to September 1995)

From: Balint Nagy Endre <bne@bne.ind.eunet.hu>
Date: Sun, 3 Sep 1995 01:41:20 +0200 (MET DST)
To: Shel Kaphan <sjk@amazon.com>
Cc: http wg discussion <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
Message-Id: <199509022341.BAA03016@bne.ind.eunet.hu>

Shel Kaphan writes (in response to me on 2xx and Location):
> This may not be so bad.  Remember, caches still cannot serve up
> expired documents, so at worst, they'll serve not-the-latest document,
> which is possible even right now.  Secondly, the cases where this
Agree.
> would really be important are cases where Cache-control:private would
> very likely be in effect -- pretty much anything that deals with
> personalized information will either have this header, or, as the case
> right now, have URL-encoded session information that limits a document
> to one user.
Agree only partially. Not only stateful dialogs may use 
2xx response in combination with Location or 303 response code.
Generally, 303 response code is better than the former - except
for private dialogs - because the referenced URI is directly accessed,
eliminating security holes.
In case of private dialogs the 2xx + Location scenario is better, it
will save one request-response round, but may lie on referenced URI.
In case of private dialog however this isn't a big trouble: only the
client accessing the request URI can be fooled, which is less attracting
for net hooligans and is easier to catch such hooliganism.

If we restrict the 2xx response code + Location to responses containing
Cache-control: private we can elmininate most of unwanted side effects.
However in non-private cases the first requestor will have to wait for
an extra request-response round, but it's an acceptable cost for
security improvement.

BTW, is the 'cache-control: private' the current replacement for
'Pragma: private' ? (I'm still waiting for a non-postscipt version of
drafts, having only a 386DX33 machine without a 387 I can't view 
comfortably postscript files.) If so, I like it.

Does this sound better than my previous proposal?

Additionally, referring to your original 'comments and questions':

Because a Location header is an implicit URI header, it is both
a response and an entity header.

Allowing Location in 2xx responses for private dialogs gives definite
benefits. However, I have no arguments for allowing URI headers in 2xx
responses, and I agree on your objections regarding security.

Andrew. (Endre Balint Nagy) <bne@bne.ind.eunet.hu>

Received on Saturday, 2 September 1995 16:45:57 UTC