- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Thu, 19 Aug 2010 15:37:18 -0700
- To: Adam Barth <ietf@adambarth.com>
- Cc: Mark Pauley <mpauley@apple.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
On Aug 19, 2010, at 3:20 PM, Adam Barth wrote: > If you think that 307 redirects are a security vulnerability, then > should should remove them from the protocol. Trying to atone for the > security sins of the protocol by punting security to the user is > security theater. Using the Internet is a security vulnerability, yet there are sufficient trade-offs to justify it. The same goes for redirecting an unsafe method if and only if the redirection has been preconfigured or acknowledged by the user. How that is arranged is not defined by the protocol -- it is left up to the user agent developer to decide on their own user interface *if* they want to autoredirect an unsafe method. I don't care if you think all users are idiots. They are responsible for their own use of the Internet. The user agent is responsible for showing/configuring what decisions need to be made by the user. HTTP is only responsible for ensuring that the protocol expresses what the user has decided, and to do that correctly it has to constrain the automatic redirection of unsafe methods unless or until that decision is made by the user. ....Roy
Received on Thursday, 19 August 2010 22:37:47 UTC