Re: User confirmation and 307 redirects from Dirk Pranke on 2010-08-20 (ietf-http-wg@w3.org from July to September 2010)

From: Dirk Pranke <dpranke@chromium.org>
Date: Thu, 19 Aug 2010 17:58:10 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Adam Barth <ietf@adambarth.com>, Mark Pauley <mpauley@apple.com>, Julian Reschke <julian.reschke@gmx.de>, httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
Message-ID: <AANLkTikjWEaV7nEdgxmwrB+v1JDdDhX3nJG5CuODLb37@mail.gmail.com>
On Thu, Aug 19, 2010 at 5:23 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
> On Aug 19, 2010, at 4:39 PM, Dirk Pranke wrote:
>
>> On Thu, Aug 19, 2010 at 4:21 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>> On Aug 19, 2010, at 3:44 PM, Adam Barth wrote:
>>>
>>>> On Thu, Aug 19, 2010 at 3:37 PM, Roy T. Fielding <fielding@gbiv.com> wrote:
>>>>> On Aug 19, 2010, at 3:20 PM, Adam Barth wrote:
>>>>>> If you think that 307 redirects are a security vulnerability, then
>>>>>> should should remove them from the protocol.  Trying to atone for the
>>>>>> security sins of the protocol by punting security to the user is
>>>>>> security theater.
>>>>>
>>>>> Using the Internet is a security vulnerability, yet there are sufficient
>>>>> trade-offs to justify it.   The same goes for redirecting an unsafe
>>>>> method if and only if the redirection has been preconfigured or
>>>>> acknowledged by the user.  How that is arranged is not defined by
>>>>> the protocol -- it is left up to the user agent developer to decide
>>>>> on their own user interface *if* they want to autoredirect an unsafe
>>>>> method.
>>>>
>>>> The draft says:
>>>>
>>>> [[
>>>>  Otherwise, the user agent MUST NOT automatically
>>>>  redirect the request unless it can be confirmed by the user
>>>> ]]
>>>>
>>>> If the user agent developer can choose whether or not to autoredirect
>>>> an unsafe method, in what sense is this requirement a MUST NOT?
>>>
>>> The user interface for obtaining confirmation is designed by the
>>> user agent developer.  The user agent developer can choose to never
>>> automatically redirect, provide some form of whitelist or zone
>>> functionality that preapproves such an automated redirect, or
>>> obtain a confirmation directly from the user upon receipt of
>>> the redirect -- any one of those satisfies the HTTP requirement.
>>>
>>
>> If the user agent developer can choose to whitelist some redirects,
>> doesn't that directly contradict the text?
>
> No.  Whitelists are just a prearranged form of confirmation.
> In any case, we already discussed changing the text to be more
> clear, like the paragraph above; it should be somewhere
> in the list of editorial issues.
>

Whitelists are a prearranged form of confirmation, but if the user
didn't create
the whitelist (or at least authorize it), then it seems to me to be not
in the spirit of the requirement (or at least it also blurs the
definition of user as per below).

>> Also, suggesting that the "user" is the designer of the UI (or the
>> programmer), and not the viewer or the end-user, would seem to
>> contradict common usage in our specs.
>
> Then your specs assume that a viewer is driving the application of
> computing for which the specification exists.  HTTP doesn't.
>

No, I'm suggesting that "user" is usually understood to mean "end
user" aka "a human being" (where user agent is the intermediary
software program). I gather you are suggesting that "code running at
the next layer up in the stack" is also a user? It's not clear to me
how one would then draw the line between "user" and "user agent" in
the spec, so perhaps that should also be clarified as part of the
editorial tasks.

> If I install a maintenance spider and it proceeds to crawl
> the Internet while I am off sleeping, then I am the user because
> I configured the crawl, not because I am viewing it in action.
>

Sure, but you *as a user* explicitly initiated the action and
presumably are quite familiar with what the behavior of the spider
would be when you configured it (assuming you explicitly configured
--follow-307s or something). If you didn't explicitly configure that
choice, I would interpret the spec as saying that the spider should
stop to confirm the redirect with you, or be forced to redefine "user"
as per above.

> If I turn on a navigation system and it proceeds to perform a
> bunch of hidden requests in the background that I had no part
> in selecting, then I am most definitely not the user from the
> perspective of those requests.  If, however, it provides some
> UI for making such a decision, such as "Send traffic updates to X",
> then I am the user and the system is equally capable of
> explaining X in such a way that it is a group of potential sites
> (e.g., "send traffic updates to Google") rather than something
> else, like "send my location information to anyone in the world".

In these paragraphs it seems clear to me that you are referring to the
"user" as if the term refers to a human being, so it still seems to me
to that. if you're not contradicting yourself, you're at least not
providing good examples for your argument. Perhaps you are suggesting
that the user is implicitly agreeing to the redirects by installing
the software at all? That seems like a reach.

I apologize if this sounds confrontational; I'm just trying to
understand your position. Also, I am not clear on what you think would
be the acceptably clearer text that "we already discussed"; was that
in an earlier thread? It didn't seem like you agreed to changing the
text at all in this particular thread.

-- Dirk
Received on Friday, 20 August 2010 00:58:42 UTC