Re: #328: user Intervention on Redirects

On 7/02/2012 1:10 p.m., Martin Thomson wrote:
> On 6 February 2012 15:55, Mark Nottingham wrote:
>> I'm now wondering if we should consider removing this requirement altogether.
> Remove it.  I imagine that the original idea was that you might want
> to prevent a server that from getting you to pass your secrets to some
> other server.  Or that it might do a bait and switch.
>
> In a world with clickjacking, this sort of measure just seems naive.
>

Clickjacking as a whole is still very much relevant to this redirection 
capability.
BUT, given that the client UA is where the redirect is done anyway makes 
little sense to prohibit it entirely.

IMO move it from the protocol spec to the security threat model as 
instruction that UA should take care before following redirects 
automatically.

AYJ

Received on Tuesday, 7 February 2012 04:15:24 UTC