- From: Foteos Macrides <MACRIDES@sci.wfbr.edu>
- Date: Wed, 10 Dec 1997 16:58:10 -0500 (EST)
- To: yarong@microsoft.com
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com, lynx-dev@sig.net
Yaron Goland <yarong@microsoft.com> wrote: >I doubt any commercial browser will implement 305 without some very serious >security provided to assure that the proxy asking for the one time redirect >is going to get it. I would suggest that this problem needs to be dealt with >in the large 305/306 context, in a stand alone spec, and that the draft >standard for HTTP should simply state that 305 has been deprecated and >SHOULD NOT be implemented. You apparently haven't yet grasped the changes Jim already has made for 305 in Rev-01. The 305 can *only* be sent by an origin server. Deployed proxies will pass it through to the browser, as they do for 300, 301, 302, 303 and 307. Josh's 305/306 draft has been dropped from Rev-01, with expectation that he (and Ari) will generate a new, 306-only draft (complementary to a revised OPTIONS draft). I suppose a proxy, if already being used by the browser, could (should?) act on the 305, and there shouldn't be a security problem with that if the 305 is to be handled always as a GET. If unsafe methods are to be retained with 305, instead of postponing that functionality to a new 306 proposal, then yes, it would be better to drop 305. But 305 would be useful if it were specified as presently in Rev-01 with the addition of a sentence that GET always should be used, and who knows when, if ever, the security/privacy problems with 306 will be solved. Fote ========================================================================= Foteos Macrides Worcester Foundation for Biomedical Research MACRIDES@SCI.WFBR.EDU 222 Maple Avenue, Shrewsbury, MA 01545 =========================================================================
Received on Wednesday, 10 December 1997 13:45:04 UTC