RE: LYNX-DEV two curiosities from IETF HTTP session.

It is still an attack as the origin server, if it has not been
authenticated, is just some random server. To remind folks of the problems
with click tracking and cookies, a bunch of servers could choose to have
requests to them redirected to indicated proxies where advertising and other
information will be inserted as needed. This very effectively gets around
cookie issues.
	Yaron

> -----Original Message-----
> From:	jg@pa.dec.com [SMTP:jg@pa.dec.com]
> Sent:	Wednesday, December 10, 1997 7:48 PM
> To:	Yaron Goland
> Cc:	jg@pa.dec.com; Josh Cohen; Foteos Macrides; lynx-dev@sig.net;
> http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> Subject:	RE: LYNX-DEV two curiosities from IETF HTTP session.
> 
> 
> >  From: Yaron Goland <yarong@microsoft.com>
> >  Date: Wed, 10 Dec 1997 11:21:51 -0800
> >  To: "'jg@pa.dec.com'" <jg@pa.dec.com>, Josh Cohen
> <joshco@microsoft.com>
> >  Cc: Foteos Macrides <MACRIDES@SCI.WFBR.EDU>, lynx-dev@sig.net,
> >          http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> >  Subject: RE: LYNX-DEV two curiosities from IETF HTTP session.
> >  
> >  I doubt any commercial browser will implement 305 without some very
> serious
> >  security provided to assure that the proxy asking for the one time
> redirect
> >  is going to get it. I would suggest that this problem needs to be dealt
> with
> >  in the large 305/306 context, in a stand alone spec, and that the draft
> >  standard for HTTP should simply state that 305 has been deprecated and
> >  SHOULD NOT be implemented.
> >  
> >  	Yaron
> 
> I think you are confused....  In Rev-01, only an origin server is allowed
> to generate a 305 response.  It is authoritative for that resource, so
> the spoofing problems don't come up (and is the reason for that text being
> in the document...)
> 				- Jim

Received on Saturday, 13 December 1997 22:58:34 UTC