- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 02 Jun 2012 11:54:17 +0200
- To: Peter Saint-Andre <stpeter@stpeter.im>
- CC: ietf-http-wg@w3.org
On 2012-06-01 23:02, Peter Saint-Andre wrote: > Dear HTTPBIS WG: > > Please correct me if I'm wrong, but it appears that the HTTP > specifications [1] don't say anything about the circumstances under > which an HTTP client ought to, or ought not to, follow a redirect (such > as we defined for XMPP in RFC 6120 [2]). It does say a few things about what to consider when following redirects to unsafe methods; but that's it. In general, the spec describes format and semantics of HTTP messages and doesn't try to describe what to do with them. > My questions include: Is it OK if an HTTP request to somedomain.tld is > redirected to anotherdomain.tld? ... Why not? It happens all the time. > ... What about an HTTPS request? For the > latter, at what point in the secure connection request is it OK to > accept a redirect? Do both confidentiality and integrity need to be > established before it's OK to follow the redirect? Does the client need > to apply the same policies to anotherdomain.tld that it would have > applied to somedomain.tld (e.g., mandating encryption)? What server > identity does the client check (per RFC 2818)? Etc. If we need to describe it, the spec defining HTTPS probably would be the right place. > As I said, perhaps these matters are described somewhere and I missed > them; if so, a pointer would be appreciated. > > Thanks! > > Peter > > [1] I checked RFC 2616, RFC 2818, draft-ietf-httpbis-p1-messaging-19, > draft-ietf-httpbis-p2-semantics-19, and > draft-ietf-httpbis-security-properties-05 > > [2] http://tools.ietf.org/html/rfc6120#section-4.9.3.19 Best regards, Julian
Received on Saturday, 2 June 2012 09:54:50 UTC