Re: #295: Applying original fragment to "plain" redirected URI (also #43)

draft-bos-http-redirect looks fine.  One quibble:

[[
Security considerations

   No new security considerations are added to those already present in
   HTTP 1.1.
]]

This behavior does contain a (slight) security risk in that a server
might inadvertently leak a fragment containing a secret to another
server in this way.

Adam


On Fri, May 27, 2011 at 6:07 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Thanks, Eric -- that's very helpful.
>
> Speaking just about #295 for the moment, does anyone have a concern about defining the behaviour as in draft-bos-http-redirect?
>
> Cheers,
>
>
> On 28/05/2011, at 10:58 AM, Eric Lawrence wrote:
>
>> I've filed an issue in our database for consideration in IE10.
>>
>> Having HTTPBIS clearly call for this behavior will definitely help support the case for making a change.
>>
>> thanks,
>> Eric Lawrence
>>
>> -----Original Message-----
>> From: ietf-http-wg-request@w3.org [mailto:ietf-http-wg-request@w3.org] On Behalf Of Adam Barth
>> Sent: Thursday, May 26, 2011 8:46 PM
>> To: Mark Nottingham
>> Cc: httpbis Group
>> Subject: Re: #295: Applying original fragment to "plain" redirected URI (also #43)
>>
>> My understanding is that preserving the fragment across the redirect is a net positive for compatibility on the web.  In fact, Eric's blog post mentions that he learned about the behavior by investigating compat problems that IE faces because it lacks this behavior.  I certainly agree that it would be nice to make the specs less cloudy in this regard.  :)
>>
>> Adam
>>
>>
>> On Thu, May 26, 2011 at 8:32 PM, Mark Nottingham <mnot@mnot.net> wrote:
>>> New issue: <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/295>
>>>
>>> As Eric Lawrence pointed out on his blog:
>>>
>>> http://blogs.msdn.com/b/ieinternals/archive/2011/05/17/url-fragments-a
>>> nd-redirects-anchor-hash-missing.aspx
>>>
>>> we don't define what happens when a request-URI has a fragment identifier and is redirected, but the Location header payload doesn't.
>>>
>>> As mentioned in #43, an old I-D did specify behaviour here:
>>>  http://tools.ietf.org/html/draft-bos-http-redirect-00
>>>
>>> Specifically:
>>>
>>> """
>>> If the server returns a response code of 300 ("multiple choice"), 301 ("moved permanently"), 302 ("moved temporarily") or 303 ("see other"), and if the server also returns one or more URIs where the resource can be found, then the client SHOULD treat the new URIs as if the fragment identifier of the original URI was added at the end.
>>> """
>>>
>>> By my testing <https://gist.github.com/330963>*, IE (6 to 9)** and Safari do not apply the fragid (T4 and T8), whereas Opera, Chrome and Firefox do. If anyone has results from other implementations, they'd be most welcome.
>>>
>>> I see two possible ways forward:
>>>  1) As with #43, explicitly state that there isn't interop here.
>>>  2) Define interop along the lines of draft-bos-http-redirect.
>>>
>>> I realise that #2 would break some existing implementations, but I've seen evidence of some real interop pain here, and defining interop where the spec is cloudy *is* within our charter.
>>>
>>> However, I'd really like to hear from implementers as to whether they'd be willing to change their implementations before going down that path.
>>>
>>>
>>> Regarding #43 <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/43>, my most recent testing indicates that, putting aside T4 and T8, there *is* interop on fragment combination for IE6-9, Safari 5, Chrome (current), FF4, FF3.6.15, FF3.0.11, and Opera 11.10.
>>>
>>> This makes me wonder if we should, given this new information, re-open #43 and define precedence rules for fragment combination upon redirects. Thoughts?
>>>
>>> Regards,
>>>
>>>
>>> * Note that the "PASS/FAIL" terminology in those tests is misleading, as it assumes the semantics defined in draft-bos-http-redirect.
>>>
>>> ** IE 6-9 are interesting, in that the location bar URI does not reflect the fragment, nor is it available in JavaScript's location.hash; however the document *does* scroll to the appropriate place on the page when following the link.
>>>
>>> --
>>> Mark Nottingham   http://www.mnot.net/
>>>
>>>
>>>
>>>
>>>
>>
>
> --
> Mark Nottingham   http://www.mnot.net/
>
>
>
>
>

Received on Saturday, 28 May 2011 01:57:53 UTC