- From: Peter Saint-Andre <stpeter@stpeter.im>
- Date: Mon, 04 Jun 2012 08:42:12 -0600
- To: Julian Reschke <julian.reschke@gmx.de>
- CC: ietf-http-wg@w3.org
On 6/2/12 3:54 AM, Julian Reschke wrote: > On 2012-06-01 23:02, Peter Saint-Andre wrote: >> Dear HTTPBIS WG: >> >> Please correct me if I'm wrong, but it appears that the HTTP >> specifications [1] don't say anything about the circumstances under >> which an HTTP client ought to, or ought not to, follow a redirect (such >> as we defined for XMPP in RFC 6120 [2]). > > It does say a few things about what to consider when following redirects > to unsafe methods; but that's it. > > In general, the spec describes format and semantics of HTTP messages and > doesn't try to describe what to do with them. > >> My questions include: Is it OK if an HTTP request to somedomain.tld is >> redirected to anotherdomain.tld? ... > > Why not? It happens all the time. Just because something happens all the time does not mean it is safe or secure. :) >> ... What about an HTTPS request? For the >> latter, at what point in the secure connection request is it OK to >> accept a redirect? Do both confidentiality and integrity need to be >> established before it's OK to follow the redirect? Does the client need >> to apply the same policies to anotherdomain.tld that it would have >> applied to somedomain.tld (e.g., mandating encryption)? What server >> identity does the client check (per RFC 2818)? Etc. > > If we need to describe it, the spec defining HTTPS probably would be the > right place. Do you mean 2818(bis) or the security properties spec? In any case, I would be happy to propose text. Peter -- Peter Saint-Andre https://stpeter.im/
Received on Monday, 4 June 2012 17:16:38 UTC