RE: Redirection of a POST as a GET

Unfortunately, I've come to the conclusion that notion that a general-purpose user-agent may be able to protect user information once the user has entered it, is likely to be fundamentally unsound in real-world use.

While, in the abstract, it seems reasonable that a cross-server redirection would notify the user, this assumes that:

1> the user understands the implications (unlikely)
2> the user had not previously disabled such warning (most users do)
3> "safe" methods cannot be used unsafely (untrue, nothing stopping servers from resubmitting postdata/creds as querystring)
4> cross-data posting is usually "evil" and isn't already commonly used by "legitimate" sites (e.g. redirect to

Even if all of these factors didn't exist, the fundamental problem is that the user-agent cannot protect the user's data once it's in the server's control.  A poorly or maliciously written server can perform all manner of activities with the data, including posting it in plaintext, in an unsecure database, etc.  If the user-agent inhibits the server's ability to direct the browser to resubmit the data elsewhere, the server is likely to either workaround the restriction via a mechanism which is no more private or safe (e.g. backend web-service call) or to circumvent the restriction directly (e.g. by passing the data in a query string).  Furthermore, in the case of browser user-agents, we cannot simply rely on adding heuristics or restrictions for FORM tags, because a web developer could simply circumvent those restrictions using either an applet (e.g. Flash) or by submitting the data without using HTML Forms submission (e.g. use XMLHTTP).

Eric Lawrence

-----Original Message-----
From: [] On Behalf Of Julian Reschke
Sent: Thursday, March 08, 2007 4:15 AM
To: Adrien de Croy
Cc: Group
Subject: Re: Redirection of a POST as a GET

Adrien de Croy schrieb:
> one thing - are there any security implications with a browser say
> automatically resubmitting some POST data to another server based on a
> redirect code?

Yes. That's why 10.3
(<>) says:

"The action required MAY be carried out by the user agent without
interaction with the user if and only if the method used in the second
request is GET or HEAD."

(this part needs to be fixed to say "safe method" instead of "GET or HEAD").

> ...

Best regards, Julian

Received on Thursday, 8 March 2007 19:24:52 UTC