- From: Jonathan Rees <jar@creativecommons.org>
- Date: Fri, 12 Feb 2010 17:44:39 -0500
- To: www-talk@w3.org
Dear www-talkers, When browsing to URI A leads to a 307 or 302 redirect to URI B, all browsers show B in the "address bar", not A. This might be seen to be in contradiction to RFC 2616 "Since the redirection might be altered on occasion, the client SHOULD continue to use the Request-URI for future requests" and is in contradiction with the advice in the W3C "Common User Agent Problems" note http://www.w3.org/TR/2001/NOTE-cuap-20010206. I don't want to dispute whether browser behavior is correct, but I am trying to research the reasons, especially historical ones, why it is considered correct. Specifically I'm looking for 1. anything in the historical record on this topic, especially a browser author saying "we did it this way because ..." 2. specific cases where there has been, or could have been, a real security problem or lacking these: 3. specific description of what a threat would be (not just a general statement about phishing or whatever) with an account of server and user psychology 4. pointers to places I might go to continue research Perhaps #2 doesn't exist, if browsers that showed A instead of B were never deployed; I don't know. I'm already aware of Mozilla bug #68423, which I find uninformative. Thanks for any help. Best Jonathan
Received on Friday, 12 February 2010 22:45:11 UTC