- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Tue, 7 Feb 2012 14:09:00 -0800
- To: Amos Jeffries <squid3@treenet.co.nz>
- Cc: ietf-http-wg@w3.org
On 7 February 2012 13:47, Amos Jeffries <squid3@treenet.co.nz> wrote: > On 08.02.2012 05:38, Martin Thomson wrote: >> to Y, so I either automatically modify Y, or require confirmation >> before doing so. > > When redirect is allowed to be done always there is no "or,". With some > potential for problems. Right. I hate "or". I'd rather not have the point of flexibility, but am willing to live with it (hence my response to Julian's suggestion - it's a definite improvement on the text, though not the substance). On the other hand, if all clients followed redirects, safe method or not, then we at least have something we can build on. Right now, the uncertainty means that you can't rely on any particular behaviour at all. That imposes a constraint that I don't like very much. > Anne appears to know of an application use-case that would jump head first > into that usage if given half a chance. I have one too. It relies on a permanent redirect for unsafe methods. Crazy, but far more elegant than any alternatives. > Or one of the other "open redirect" problems mentioned already. Open redirects are not the problem. They are "a" problem, but requiring one behaviour or the other here isn't going to fix the open redirect problem unless you wanted to stop automatic follows for safe methods as well...or you had some sort of magic fairy wand that made all resources in existence safe for safe requests. --Martin
Received on Tuesday, 7 February 2012 22:13:15 UTC