- From: Benjamin Franz <snowhare@netimages.com>
- Date: Sat, 16 Dec 1995 08:41:56 -0800 (PST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
On Sat, 16 Dec 1995, Koen Holtman wrote: > > Clients (including caching proxies) should disregard Location > headers in 2xx responses if they do not point to the same server > that generated the response. > > This restriction still leaves you with a negotiation mechanism > powerful enough to handle the French/English example. > > Note that the above solution assumes that either the content providers > on the same server either trust each other not to spoof, or that the > server has some Location response header filtering mechanism that > excludes spoofing. > This is not a safe assumption. Numerous providers sell space to many independent people on single servers. For example: www.xmission.com serves on the order of 1000 independent entities, including many businesses and people, and allows CGI to be owned by the individuals. Clearly there is the opportunity for someone to spoof there under the rule. It is not significantly safer than unrestricted redirections when many (most?) people share common servers. -- Benjamin Franz
Received on Saturday, 16 December 1995 08:34:08 UTC