- From: David W. Morris <dwm@xpasc.com>
- Date: Wed, 19 Mar 1997 16:51:29 -0800 (PST)
- To: Josh <josh@netscape.com>
- Cc: "Roy T. Fielding" <fielding@kiwi.ICS.UCI.EDU>, http-wg@cuckoo.hpl.hp.com
On Wed, 19 Mar 1997, Josh wrote: > > Roy said > > > Josh said > > > > >Suggested rules: > > >Origin servers may NOT send 305, only proxies may send them. > > > > Nope. The original intended purpose of 305 is to allow an origin server > > to prevent access unless it goes through the appropriate proxy. > > > I agree that an origin server based redirect is a good idea, > and although I cant quickly come up with a case for it which > couldnt acheive the same results by other means, I think > this functionality is worthwhile. However, from a security > standpoint I think its hard to implement. I'm missing a point somewhere ... why do you think there is a greater security issue with an origin server specifing a proxy redirect than a proxy doing it? My sense is that the converse is true. Since the redirect is hop-hop, it seems like the origin server would be at least as trusted as any proxy in terms of telling a user where to get resources logically owned by the origin server. Dave Morris
Received on Wednesday, 19 March 1997 16:55:26 UTC