[Errata Rejected] RFC7231 (6354)
RFC Errata System <rfc-editor@rfc-editor.org> Tue, 15 December 2020 14:56 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 162173A11B5 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 15 Dec 2020 06:56:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.748
X-Spam-Level:
X-Spam-Status: No, score=-0.748 tagged_above=-999 required=5 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xnsy3bHJQY7X for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 15 Dec 2020 06:56:10 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67BE53A11B0 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 15 Dec 2020 06:56:09 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1kpBhS-0007B0-4z for ietf-http-wg-dist@listhub.w3.org; Tue, 15 Dec 2020 14:53:14 +0000
Resent-Date: Tue, 15 Dec 2020 14:53:14 +0000
Resent-Message-Id: <E1kpBhS-0007B0-4z@lyra.w3.org>
Received: from mimas.w3.org ([128.30.52.79]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <wwwrun@rfc-editor.org>) id 1kpBhP-0007AI-I7 for ietf-http-wg@listhub.w3.org; Tue, 15 Dec 2020 14:53:11 +0000
Received: from rfc-editor.org ([4.31.198.49]) by mimas.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <wwwrun@rfc-editor.org>) id 1kpBhM-0001zi-E0 for ietf-http-wg@w3.org; Tue, 15 Dec 2020 14:53:11 +0000
Received: by rfc-editor.org (Postfix, from userid 30) id 876C1F40709; Tue, 15 Dec 2020 06:52:50 -0800 (PST)
To: psturge@honeycomb.co.uk, fielding@gbiv.com, julian.reschke@greenbytes.de
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: barryleiba@computer.org, iesg@ietf.org, ietf-http-wg@w3.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20201215145250.876C1F40709@rfc-editor.org>
Date: Tue, 15 Dec 2020 06:52:50 -0800
Received-SPF: pass client-ip=4.31.198.49; envelope-from=wwwrun@rfc-editor.org; helo=rfc-editor.org
X-W3C-Hub-Spam-Status: No, score=-10.2
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_IRR=-3, W3C_WL=-1
X-W3C-Scan-Sig: mimas.w3.org 1kpBhM-0001zi-E0 eeebc7c2e76be7af533d104580eb229c
X-Original-To: ietf-http-wg@w3.org
Subject: [Errata Rejected] RFC7231 (6354)
Archived-At: <https://www.w3.org/mid/20201215145250.876C1F40709@rfc-editor.org>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/38308
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
The following errata report has been rejected for RFC7231, "Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content". -------------------------------------- You may review the report below and at: https://www.rfc-editor.org/errata/eid6354 -------------------------------------- Status: Rejected Type: Technical Reported by: Peter Sturge <psturge@honeycomb.co.uk> Date Reported: 2020-12-10 Rejected by: Barry Leiba (IESG) Section: 7.1.2. Original Text ------------- The field value consists of a single URI-reference. When it has the form of a relative reference ([RFC3986], Section 4.2), the final value is computed by resolving it against the effective request URI ([RFC3986], Section 5). For 201 (Created) responses, the Location value refers to the primary resource created by the request. For 3xx (Redirection) responses, the Location value refers to the preferred target resource for automatically redirecting the request. If the Location value provided in a 3xx (Redirection) response does not have a fragment component, a user agent MUST process the redirection as if the value inherits the fragment component of the URI reference used to generate the request target (i.e., the redirection inherits the original reference's fragment, if any). For example, a GET request generated for the URI reference "http://www.example.org/~tim" might result in a 303 (See Other) response containing the header field: Location: /People.html#tim which suggests that the user agent redirect to "http://www.example.org/People.html#tim" Corrected Text -------------- The field value consists of a single URI-reference. Relative forms are not allowed and MUST include the entire redirected URI, even if the base URL part has not changed. Notes ----- Relative URIs in Location redirect headers should not be allowed. Allowing relative URIs opens up, at best, inconsistent and poor implementations and interpretations, but more importantly it opens serious security holes. For example, when the redirect emanates from a URL shortening service (e.g. bitly.com), an attacker can 'chain' multiple relative shortened URIs, effectively obfuscating the final and malicious site. If security tools attempt to 'rebuild and resolve', this will have an impact on performance, and itself can be exploited by attackers by creating a circular redirect (this can of course be done with full URIs as well, but then a security monitoring tool can more easily detect such a scenario). Yes, one would expect security tools to only redirect to a small maximum count (say 3), but in a Denial-of-Service attack, many of these can render a security monitoring tool impotent to other attacks happening in parallel. In addition, unless *all* User-Agents (and there are a lot of them out there) interpret the relative URL absolutely consistently, this can lead to incorrect navigation at best, and such inconsistencies can be easily exploited by attackers at worst. All in all, at a time when the industry is trying to make internet operations safer and more secure, allowing relative URLs does the opposite, and with little to no gain by allowing. --VERIFIER NOTES-- The text says what the working group intended it to say, and this is not an erratum. What's more, it accurately reflects real-world usage. The place to discuss changes such as this proposal, to be considered for future updates, is the HTTP working group's mailing list; see <https://datatracker.ietf.org/wg/httpbis/about/>. -------------------------------------- RFC7231 (draft-ietf-httpbis-p2-semantics-26) -------------------------------------- Title : Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content Publication Date : June 2014 Author(s) : R. Fielding, Ed., J. Reschke, Ed. Category : PROPOSED STANDARD Source : Hypertext Transfer Protocol Bis APP Area : Applications Stream : IETF Verifying Party : IESG
- [Errata Rejected] RFC7231 (6354) RFC Errata System