W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2012

Re: WGLC issue: following HTTP redirects

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 02 Jun 2012 11:54:17 +0200
Message-ID: <4FC9E2C9.30008@gmx.de>
To: Peter Saint-Andre <stpeter@stpeter.im>
CC: ietf-http-wg@w3.org
On 2012-06-01 23:02, Peter Saint-Andre wrote:
> Please correct me if I'm wrong, but it appears that the HTTP
> specifications [1] don't say anything about the circumstances under
> which an HTTP client ought to, or ought not to, follow a redirect (such
> as we defined for XMPP in RFC 6120 [2]).

It does say a few things about what to consider when following redirects 
to unsafe methods; but that's it.

In general, the spec describes format and semantics of HTTP messages and 
doesn't try to describe what to do with them.

> My questions include: Is it OK if an HTTP request to somedomain.tld is
> redirected to anotherdomain.tld? ...

Why not? It happens all the time.

> ... What about an HTTPS request? For the
> latter, at what point in the secure connection request is it OK to
> accept a redirect? Do both confidentiality and integrity need to be
> established before it's OK to follow the redirect? Does the client need
> to apply the same policies to anotherdomain.tld that it would have
> applied to somedomain.tld (e.g., mandating encryption)? What server
> identity does the client check (per RFC 2818)? Etc.

If we need to describe it, the spec defining HTTPS probably would be the 
right place.

> As I said, perhaps these matters are described somewhere and I missed
> them; if so, a pointer would be appreciated.
> Thanks!
> Peter
> [1] I checked RFC 2616, RFC 2818, draft-ietf-httpbis-p1-messaging-19,
> draft-ietf-httpbis-p2-semantics-19, and
> draft-ietf-httpbis-security-properties-05
> [2] http://tools.ietf.org/html/rfc6120#section-

Best regards, Julian
Received on Saturday, 2 June 2012 09:54:50 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:00 UTC