- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Sat, 10 Jan 2015 11:46:05 +0100
- To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2015-01-09 20:56, Mark Nottingham wrote: > Brad Hill brought up an interesting proposal on the repo (I closed the issue as it was in the wrong place). > > —8<--- > > A recurring weakness with OAuth and related capability URL usages (http://www.w3.org/TR/capability-urls/) is the reapplication of URL fragments on redirects: > > http://tools.ietf.org/html/rfc7231#section-9.5 > > This behavior is frequently abused in combination with resources that act as open redirectors to leak sensitive information in a fragment. > > I would like to suggest an additional header, 'Fragment-Scope' that could be sent with a Location header on a 3xx to control the disposition of a fragment after a redirect. Values would be 'no-redirect' which would instruct the user agent to discard the fragment on any subsequent redirect, or 'same-origin' which would discard the fragment after any non-same-origin redirect. The scope rule, once set, would remain until the user agent terminates following redirects. (so a 'same-origin' policy could not be stripped by redirecting to a second open-redirector in the same origin, and then off-origin from there). > > —>8— > > What do people think? > > -- > Mark Nottingham http://www.mnot.net/ I'd like to see a better explanation of the problem. An example would help as well. Best regards, Julian
Received on Saturday, 10 January 2015 10:46:40 UTC