- From: Jonathan Rees <jar@creativecommons.org>
- Date: Thu, 4 Feb 2010 11:39:14 -0500
- To: www-tag@w3.org
This is a checkin regarding ACTION-348 "Research reasons why browser providers (e.g. Mozilla) aren't willing to meet requests (e.g. from purl) to retain address bar URL following successful redirect" I can't say my research is done, but I did find the following https://bugzilla.mozilla.org/show_bug.cgi?id=68423 initiated by a W3C note complaining about the location bar problem in 2001: http://www.w3.org/TR/2001/NOTE-cuap-20010206#protocols The discussion on that thread sort of peters out, with some people saying "follow what 2616 says, it's not only right but useful" and others saying "that would be awful, it would be a nasty security hole", i.e. it's not very informative. As far as I can tell the bug is still open, so no decision has been reached (i.e. the current behavior will continue). I've found various vague references to 307-related threats, all of the form http://trustysite.com/path doing a 307 redirect to http://attacker.com/anotherpath. This can happen if trustysite provides a redirection service to its users, or if there's a redirection script that can be tricked by passing in parameters specifying the attacker's site. In any case, the risk relies on a user treating a page as "trustworthy" merely by virtue of being labeled, in the browser UI, with a URI that begins with the domain name of a "trusted" site. I think the authors of 2616 would probably say that's a bug in the server or the user or both. I'm focusing on 307 instead of 302 because 302 has the additional complication that it has in the past been used sometimes in the 303 sense and sometimes in the 307 sense. That is an extraneous issue. My research continues; I have yet to find adequate documentation of these threats, or a record of any statement or complaint from OCLC on the matter, but am looking. Any tips are welcome. Jonathan
Received on Thursday, 4 February 2010 16:39:42 UTC