W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: New header for "Fragment-Scope"?

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 10 Jan 2015 11:46:05 +0100
Message-ID: <54B102ED.3000501@gmx.de>
To: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On 2015-01-09 20:56, Mark Nottingham wrote:
> Brad Hill brought up an interesting proposal on the repo (I closed the issue as it was in the wrong place).
>
> —8<---
>
> A recurring weakness with OAuth and related capability URL usages (http://www.w3.org/TR/capability-urls/) is the reapplication of URL fragments on redirects:
>
> http://tools.ietf.org/html/rfc7231#section-9.5
>
> This behavior is frequently abused in combination with resources that act as open redirectors to leak sensitive information in a fragment.
>
> I would like to suggest an additional header, 'Fragment-Scope' that could be sent with a Location header on a 3xx to control the disposition of a fragment after a redirect. Values would be 'no-redirect' which would instruct the user agent to discard the fragment on any subsequent redirect, or 'same-origin' which would discard the fragment after any non-same-origin redirect. The scope rule, once set, would remain until the user agent terminates following redirects. (so a 'same-origin' policy could not be stripped by redirecting to a second open-redirector in the same origin, and then off-origin from there).
>
> —>8—
>
> What do people think?
>
> --
> Mark Nottingham   http://www.mnot.net/

I'd like to see a better explanation of the problem. An example would 
help as well.

Best regards, Julian
Received on Saturday, 10 January 2015 10:46:40 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:42 UTC