Re: User confirmation and 307 redirects

I agree, if a 3rd party can send you a redirect, they probably have your bytes too.  TLS is the only mechanism I can think of that can beat this threat and TLS makes the UI confirmation unnecessary, because we've already established that we trust the endpoint enough to send them our sensitive data.


On Aug 19, 2010, at 2:10 PM, Adam Barth wrote:

> On Thu, Aug 19, 2010 at 2:06 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>> It isn't a feature.  It is a security constraint.  The fact that some
>> browsers have security holes is well known.
> 
> It's completely ineffective as a security mechanism.  At best, all it
> could do is result in blame-the-user security, which isn't security at
> all.
> 
> Adam
> 

Received on Thursday, 19 August 2010 21:28:04 UTC