Re: #328: user Intervention on Redirects from Adam Barth on 2012-02-07 (ietf-http-wg@w3.org from January to March 2012)

From: Adam Barth <ietf@adambarth.com>
Date: Tue, 7 Feb 2012 10:59:47 -0800
To: Chris Weber <chris@lookout.net>
Cc: HTTP Working Group <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@opera.com>, Martin Thomson <martin.thomson@gmail.com>, Julian Reschke <julian.reschke@gmx.de>, Mark Nottingham <mnot@mnot.net>
Message-ID: <CAJE5ia_S5csTPmf_y2dM=Kjfmht7gGAj7XT6n8zXnH-+6TVvSg@mail.gmail.com>

Open redirectors usually use GET requests rather than unsafe methods.

Adam
 On Feb 7, 2012 9:39 AM, "Chris Weber" <chris@lookout.net> wrote:

> On 2/7/2012 9:21 AM, Julian Reschke wrote:
> > Clarifying: "Open" means that the target of the redirect actually
> > depends on something the request contains, such as a query parameter,
> > right?
>
> True, that's the most common case.  An example would be -
> http://www.example.com/redir?target=http://foo.bar - where the query
> parameter named 'target' has a user-controlled value which gets used
> (most commonly) in an HTTP 302 redirect's 'Location' header.
>
> ---- REQUEST ----
>
> GET /redir?target=http://foo.bar HTTP/1.1
> Host: www.example.com
>
> ---- RESPONSE ----
>
> HTTP/1.1 302 Found
> Location: http://foo.bar/
>
>
>
> -CW
>
>

Received on Tuesday, 7 February 2012 19:03:21 UTC