- From: Adrien de Croy <adrien@qbik.com>
- Date: Fri, 09 Mar 2007 12:13:09 +1300
- To: Henrik Nordstrom <henrik@henriknordstrom.net>
- CC: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
thanks for that. this may be a key factor for why we are in the state we are in (i.e. why everyone responds to a 30x from a POST with a GET) - because it's the "safe and obvious" option, albeit non-conformant. Anyone who's run Vista knows about how painful nags can get. You can't do hardly anything without being prompted to make this or that decision, even though you just tell it to do something, it still asks for security clearance (even when you're an admin). Most people just want the thing to work with as little thought and extra effort required as possible. So designing requirements into the spec to prompt users for decisions is kinda doomed I think. There will be strong consumer pressure to disable the nags, which software writers will respond to by implementing nag disabling options, which people will then turn on. Alternatively there will be pressure brought to bear on site writers to not return 307 responses because it generates a nag. either way the potential benefits of the 307 could end up being lost, in which case.... Henrik Nordstrom wrote: > fre 2007-03-09 klockan 00:02 +1300 skrev Adrien de Croy: > > >> I'm not sure how comfortable I would be typing my username and password >> into a form, and then having my browser automatically sending that >> information off to another site without my knowledge because the site >> sent back a 307. >> > > And the specs do not allow it without user confirmation. > > This security blanked has always been in the specs regarding automatic > redirection, only allowing it to take place for GET/HEAD requests > without user confirmation. Even the HTTP/1.0 specs has this security > restriction. > > Regards > Henrik >
Received on Thursday, 8 March 2007 23:13:13 UTC