On Aug 19, 2010, at 2:10 PM, Adam Barth wrote: > On Thu, Aug 19, 2010 at 2:06 PM, Roy T. Fielding <fielding@gbiv.com> wrote: >> It isn't a feature. It is a security constraint. The fact that some >> browsers have security holes is well known. > > It's completely ineffective as a security mechanism. At best, all it > could do is result in blame-the-user security, which isn't security at > all. Please think about it for a while before you try to convince me that a DELETE on any website on the planet should be able to result in an automatic DELETE being redirected to any other website on the planet, or your local intranet. Likewise for PUT, POST, etc. There is no compelling need for auto-redirect for an unsafe method. If you can't figure out a safe way that your "user" (an entity which varies substantially based on the type of HTTP client being used) can approve of the redirect, then the safe choice is to not redirect the request. Your concerns about the ugliness of such a dialog are not relevant to the requirement as written in the spec, and it simply wouldn't matter if every single browser implemented it wrong: browsers make up only a small percentage of HTTP client vendors. ....RoyReceived on Thursday, 19 August 2010 21:37:58 UTC
This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:22 UTC