New I-D: HTTP Redirect Headers (draft-hardt-httpbis-redirect-headers-00) from Dick Hardt on 2026-01-05 (ietf-http-wg@w3.org from January to March 2026)

From: Dick Hardt <dick.hardt@gmail.com>
Date: Mon, 5 Jan 2026 17:30:26 +0100
To: HTTP Working Group <ietf-http-wg@w3.org>
Cc: Sam Goto <goto@google.com>
Message-ID: <CAD9ie-ts2gpiyTjJ6vBd2DKRja0gLNCuw9WSh-sHqg0Sz5qjSg@mail.gmail.com>

Hey,

I've posted a new Internet-Draft proposing HTTP headers to address security
and privacy concerns in redirect-based authentication protocols:

    https://datatracker.ietf.org/doc/draft-hardt-httpbis-redirect-headers/

  The draft defines three headers:

  - Redirect-Query: Carries redirect parameters in headers instead of URLs,
    preventing leakage through browser history, Referer headers, server
logs,
    and analytics systems.

  - Redirect-Origin: Provides browser-verified origin authentication that
    cannot be spoofed or stripped.

  - Redirect-Path: Allows servers to request path-specific origin
verification.

The primary motivation is protecting authorization codes in OAuth/OIDC
flows from the various URL leakage vectors documented in RFC 9700.
Secondary motivation is improving redirect origin validation.

A key design goal is incremental deployment—clients, browsers, and
authorization servers can each add support independently, with no
coordination required.

As browser support is a requirement for the functionality, I have worked
with Sam Goto from the Google Chrome team to confirm browser interest, and
Sam has joined as a co-author.

Feedback welcome. Issues and discussion at:
    https://github.com/dickhardt/redirect-headers

 Dick & Sam

Received on Monday, 5 January 2026 16:31:07 UTC