- From: Shel Kaphan <sjk@amazon.com>
- Date: Wed, 30 Aug 1995 22:48:54 -0700
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> From: Brian Behlendorf <brian@organic.com> ... > This assumes "server" is a contiguous authority - not true, I was about to make the same observation, but another area of problems is that a server might want to return a URI (is this the new name for Location?) that is a URN for the document. How is the client supposed to recognize that the URN is for the same "server"? I don't really have a good answer...maybe it shouldn't be a URN for this reason. Ugh. I feel like I'm fighting a rear guard action on this one. There are so many reasons it would be nice to save this. The only generally safe thing I can think of doing is that if a URI is returned to the client, it should always be considered a redirect, or only allowed in a redirect. Just to be clear, you're advocating removing the newly added possibility of returning Location with 2xx responses. The server ought not return the very same URI as for the request, to avoid an obvious loop. But if it is a different URI, the client ought to be given the chance to find it in a local cache anyway, so a redirect is reasonable. I'm not denying the existence of the security problem, but again, to be clear, in my model of how this ought to work, the resource enclosed in the response should replace anything in the cache under that URI. This is what would make this construct so useful. The use of Location in a 2xx response is to identify a resource being sent, not as a redirection. Daniel LaLiberte (liberte@ncsa.uiuc.edu) National Center for Supercomputing Applications http://union.ncsa.uiuc.edu/~liberte/ --Shel
Received on Wednesday, 30 August 1995 22:53:53 UTC