Re: [whatwg/fetch] Header to opt out of opaque redirect (#601) from Michael Quad on 2020-03-02 (public-webapps-github@w3.org from March 2020)

From: Michael Quad <notifications@github.com>
Date: Mon, 02 Mar 2020 06:19:20 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/601/593424614@github.com>

@annevk my comments wasnt off-topic, they are related. If you dont like them, that's not a tech reason to ban the author. If there were rudeness - I am sorry. 

Let's concentrate on this option - `redirect:manual`. The way it is currently **defined** in the spec is wasted/screwed/meaningless. That is *an assesment of your work*, not a rudeness. Browser already follows the route prescribed by the spec, so, it's testable - i did the test - it doesn't work. You may prove it's working - create your test. If you need mine, I'll drop it.

#### Workarounds, workarounds..

Besides the method proposed by the issue starter, there were already valid methods posted. For example, returning custom HTTP STATUS 4xx - will work now, without further negotiations with WATWG and browser maker. I would call @slaneyrw my ally, because he operates on the same interest level as I do, but has more strenght to not to be rude.

#### Interest?
```
end users - app maker - browser maker - spec maker

(we all) - (me) - (googler) - (you)
```

#### Black and White

Let's concentrate on the main reason why - security. You did an example: https://fetch.spec.whatwg.org/#atomic-http-redirect-handling it says that:

> Except for the last response URL, if any, a response’s URL list cannot be exposed to script

Let it be correct (without a test?). So, there is no URL for `redirect:manual`.
Job's done, option blocked.

The restriction itself opens doors. My test above, shows one route, there will be others. Am I a hacker - security breaker? That's funny - You can't force users to security or not to quit security - He/She may drop their passwords anywhere anytime. You may only ***opt-in security by default*** and may warn user (in cost of user's hate) when he/she follows another road. That's the basics of incorrect restrictions - ***techincal***, non-political.

The restriction itself closes back-compatibility with the old servers. Does it closes some security holes? Some old annoying problems with the old stuff? May I see some info about it?

#### Off-topic

If you don't understand and don't accept anything written above, I have nothing more to advance to this repo/spec. Last comment, just don't answer - decide it alone with the browser makers as my interest is opted-out together with the end user interest. But let it hand here, you may close the issue. Otherwise, let's consider all accepted decisions arrived from googlers who advanced from the end user's point as incorrect.

Regards

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/601#issuecomment-593424614

Received on Monday, 2 March 2020 14:19:32 UTC