- From: Joe Gregorio <joe@bitworking.org>
- Date: Tue, 1 Dec 2009 10:00:22 -0500
- To: "Manger, James H" <James.H.Manger@team.telstra.com>
- Cc: Tyler Close <tyler.close@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Nov 30, 2009 at 5:52 PM, Manger, James H <James.H.Manger@team.telstra.com> wrote: >> The 307 redirect target resource is a good guy. The webbot and the redirect >> target live behind the same firewall. The evil resource lives outside the >> firewall. For the protection of the good guy resource, the webbot must >> enforce the SOP, so that the redirect is not followed. > > This actually is covered by the HTTP spec (1.1 and HTTPbis). > For instance, 8.3.8 307 Temporary Redirect says: > > If the 307 status code is received in response to a request method > that is known to be "safe", as defined in Section 7.1.1, then the > request MAY be automatically redirected by the user agent without > confirmation. Otherwise, the user agent MUST NOT automatically > redirect the request unless it can be confirmed by the user, since > this might change the conditions under which the request was issued. > > [http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-08#section-8.3.8] > > At the HTTP layer it is not a same-origin issue, but a wider issue with methods that are not "safe". I've covered these scenarios in httplib2 with the .folllow_redirects and .follow_all_redirects options: http://httplib2.googlecode.com/hg/doc/html/libhttplib2.html#httplib2.Http.follow_redirects Tyler, are you asking for HTTP client libraries to provide something more comprehensive than that? Thanks, -joe > > > James Manger >
Received on Tuesday, 1 December 2009 15:01:04 UTC