Re: #328: user Intervention on Redirects from Martin Thomson on 2012-02-07 (ietf-http-wg@w3.org from January to March 2012)

From: Martin Thomson <martin.thomson@gmail.com>
Date: Tue, 7 Feb 2012 11:25:42 -0800
To: Chris Weber <chris@lookout.net>
Cc: Julian Reschke <julian.reschke@gmx.de>, Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CABkgnnWmPWH2a4g78r2roZXYSPCg=oYoXObMatPv9Wn0+ayDWQ@mail.gmail.com>

It's not so much the issue of having an open redirect, it more relates
to the way that the browser assigns some level of trust to the server
when following the redirect.  Worse, the target server assigns a
degree of trust to the client when accepting the new request.

Received on Tuesday, 7 February 2012 19:29:48 UTC