Re: Redirection of a POST as a GET from Henrik Nordstrom on 2007-03-08 (ietf-http-wg@w3.org from January to March 2007)

From: Henrik Nordstrom <henrik@henriknordstrom.net>
Date: Thu, 08 Mar 2007 23:56:29 +0100
To: Adrien de Croy <adrien@qbik.com>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1173394589.4320.45.camel@henriknordstrom.net>

fre 2007-03-09 klockan 00:02 +1300 skrev Adrien de Croy:

> I'm not sure how comfortable I would be typing my username and password 
> into a form, and then having my browser automatically sending that 
> information off to another site without my knowledge because the site 
> sent back a 307.

And the specs do not allow it without user confirmation.

This security blanked has always been in the specs regarding automatic
redirection, only allowing it to take place for GET/HEAD requests
without user confirmation. Even the HTTP/1.0 specs has this security
restriction.

Regards
Henrik

Received on Thursday, 8 March 2007 22:56:42 UTC