- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Thu, 08 Mar 2007 22:42:38 +0100
- To: Mike Schinkel <mikeschinkel@gmail.com>
- CC: 'David Morris' <dwm@xpasc.com>, 'Adrien de Croy' <adrien@qbik.com>, ietf-http-wg@w3.org
Mike Schinkel schrieb: > David Morris >> If you have a trust relationship with the original server, >> you darn well better beable to trust what that server does >> with your data ... and in my mind, that extends to trusting >> that server to not redirect to an untrusted server. >> >> In any case, if this data is sensitive, you should make sure >> it is sent in an SSL protected session and it seems VERY >> reasonable to not allow the scheme to change in a redirect >> ... certainly not a down grade in security level. >> >> Telling the average user there is a concern isn't worth the effort. > > I was going to say essentially the same, but since you already did I'll just > +1. > > Also, as a user, I myself would get pissed if I had to fill out a login form > twice and be mad at the website, not realizing it was the specification's > fault. Well. If a server redirects POST request from /a to /b *on the same server*, blame the server. It could easily let the request on /a succeed, or shouldn't have exposed /a in the first place. You know, Cool URIs Do Not Change. Best regards, Julian
Received on Thursday, 8 March 2007 21:43:02 UTC