- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 7 Feb 2012 08:38:04 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 7 February 2012 08:07, Julian Reschke <julian.reschke@gmx.de> wrote: > The redirect might go to a resource that the user didn't ask to modify. I don't see the problem. So I ask to modify X, but then X points me to Y, so I either automatically modify Y, or require confirmation before doing so. There isn't a security problem. X has the information and could forward to Y itself. The only concern is over intent. Whether the intent of the client extends to permitting a server to direct their request. I know that curl has a command line option for this behaviour, but it most clients don't have the luxury of millions of options. So when you have to pick an option, choose the one that doesn't require a dialog box. Ultimately, this is between you and your client. A specification shouldn't really need to say anything about (though we might make an exception for a security issue). --Martin
Received on Tuesday, 7 February 2012 16:42:34 UTC