Re: #295: Applying original fragment to "plain" redirected URI (also #43)

Mark Nottingham <mnot@mnot.net> Thu, 16 February 2012 05:20 UTC

Return-Path: <ietf-http-wg-request@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 715CE21E8011 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Feb 2012 21:20:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=4.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eN8YuSwg4t4s for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 15 Feb 2012 21:20:31 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) by ietfa.amsl.com (Postfix) with ESMTP id E7E1B11E8072 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 15 Feb 2012 21:20:30 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.69) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Rxtkk-00042Q-Jd for ietf-http-wg-dist@listhub.w3.org; Thu, 16 Feb 2012 05:19:34 +0000
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.69) (envelope-from <mnot@mnot.net>) id 1RxtkT-0003xJ-Di for ietf-http-wg@listhub.w3.org; Thu, 16 Feb 2012 05:19:17 +0000
Received: from mxout-08.mxes.net ([216.86.168.183]) by maggie.w3.org with esmtp (Exim 4.72) (envelope-from <mnot@mnot.net>) id 1RxtkO-00059y-AW for ietf-http-wg@w3.org; Thu, 16 Feb 2012 05:19:16 +0000
Received: from lhw6fxn1.rackspace.corp (unknown [69.20.3.135]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id DAE4250A5D; Thu, 16 Feb 2012 00:18:48 -0500 (EST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="iso-8859-1"
From: Mark Nottingham <mnot@mnot.net>
In-Reply-To: <4F3C275E.8000201@gmx.de>
Date: Thu, 16 Feb 2012 16:18:39 +1100
Cc: "Roy T. Fielding" <fielding@gbiv.com>, Larry Masinter <masinter@adobe.com>, httpbis Group <ietf-http-wg@w3.org>, Adam Barth <ietf@adambarth.com>
Content-Transfer-Encoding: quoted-printable
Message-Id: <3F6B3B55-C81B-483E-A4CF-F638AEF84C53@mnot.net>
References: <6A53E99A-019D-4F6D-A33D-24524CD34E17@mnot.net> <4EFDFA17.4080804@gmx.de> <4F031419.1050708@gmx.de> <C68CB012D9182D408CED7B884F441D4D06121B5AE5@nambxv01a.corp.adobe.com> <4F0608AB.20808@gmx.de> <EDB1544B-C4AE-41CA-806A-15FD1956D467@gbiv.com> <4F08649E.6060107@gmx.de> <5AD13674-95D2-4B8B-AB84-30FBD5B45348@mnot.net> <F5646201-718C-4BA5-A644-9828186B88B0@mnot.net> <4F3C275E.8000201@gmx.de>
To: Julian Reschke <julian.reschke@gmx.de>
X-Mailer: Apple Mail (2.1257)
Received-SPF: pass client-ip=216.86.168.183; envelope-from=mnot@mnot.net; helo=mxout-08.mxes.net
X-W3C-Hub-Spam-Status: No, score=-1.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001
X-W3C-Scan-Sig: maggie.w3.org 1RxtkO-00059y-AW 2d10daeb8f351cec98f99febbaff5b60
X-Original-To: ietf-http-wg@w3.org
Subject: Re: #295: Applying original fragment to "plain" redirected URI (also #43)
Archived-At: <http://www.w3.org/mid/3F6B3B55-C81B-483E-A4CF-F638AEF84C53@mnot.net>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/12439
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Resent-Message-Id: <E1Rxtkk-00042Q-Jd@frink.w3.org>
Resent-Date: Thu, 16 Feb 2012 05:19:34 +0000

+1


On 16/02/2012, at 8:45 AM, Julian Reschke wrote:

> On 2012-02-13 05:59, Mark Nottingham wrote:
>> Assigned for -19.
> 
> Proposed patch here: <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/295/295.diff>
> 
> This changes the description of the header field to:
> 
> 9.5.  Location
> 
>   The "Location" header field is used to identify a newly created
>   resource, or to redirect the recipient to a different location for
>   completion of the request.
> 
>     Location = URI-reference
> 
>   For 201 (Created) responses, the Location is the URI of the new
>   resource which was created by the request.  For 3xx responses, the
>   location SHOULD indicate the server's preferred URI for automatic
>   redirection to the resource.
> 
>   The field value consists of a single URI-reference.  When it has the
>   form of a relative reference ([RFC3986], Section 4.2), the final
>   value is computed by resolving it against the effective request URI
>   ([RFC3986], Section 5).  If the original URI, as navigated to by the
>   user agent, did contain a fragment identifier, and the final value
>   does not, then the original URI's fragment identifier is added to the
>   final value.
> 
>   For example, the original URI "http://www.example.org/~tim", combined
>   with a field value given as:
> 
>     Location: /pub/WWW/People.html#tim
> 
>   would result in a final value of
>   "http://www.example.org/pub/WWW/People.html#tim"
> 
>   An original URI "http://www.example.org/index.html#larry", combined
>   with a field value given as:
> 
>     Location: http://www.example.net/index.html
> 
>   would result in a final value of
>   "http://www.example.net/index.html#larry", preserving the original
>   fragment identifier.
> 
>      Note: Some recipients attempt to recover from Location fields that
>      are not valid URI references.  This specification does not mandate
>      or define such processing, but does allow it (see Section 1.1).
> 
>   There are circumstances in which a fragment identifier in a Location
>   URI would not be appropriate.  For instance, when it appears in a 201
>   Created response, where the Location header field specifies the URI
>   for the entire created resource.
> 
>      Note: The Content-Location header field (Section 6.7 of [Part3])
>      differs from Location in that the Content-Location identifies the
>      most specific resource corresponding to the enclosed
>      representation.  It is therefore possible for a response to
>      contain header fields for both Location and Content-Location.
> 
> 
> And also adds the following Security Consideration:
> 
>   Furthermore, appending the fragment identifier from one URI to
>   another one obtained from a Location header field might leak
>   confidential information to the target server -- although the
>   fragment identifier is not transmitted in the final request, it might
>   be visible to the user agent through other means, such as scripting).
> 
> Best regards, Julian
> 
> 
>> On 01/02/2012, at 4:13 PM, Mark Nottingham wrote:
>> 
>>> 
>>> On 08/01/2012, at 2:28 AM, Julian Reschke wrote:
>>> 
>>>> To make this change we could add to:
>>>> 
>>>> "The field value consists of a single URI-reference. When it has the form of a relative reference ([RFC3986], Section 4.2), the final value is computed by resolving it against the effective request URI ([RFC3986], Section 5)."
>>>> 
>>>> saying
>>>> 
>>>> "... If the original URI, as navigated to by the user agent, did contain a fragment identifier, and the final value does not, then the original URI's fragment identifier is added to the final value."
>>>> 
>>>> 
>>>> (and also we would kill<http://greenbytes.de/tech/webdav/draft-ietf-httpbis-p2-semantics-18.html#rfc.section.9.5.p.9>).
>>> 
>>> Works for me; +1. Some examples wouldn't go astray.
>> 
>> 
>> 
>> 
>> --
>> Mark Nottingham   http://www.mnot.net/
>> 
>> 
>> 
>> 
>> 
> 

--
Mark Nottingham   http://www.mnot.net/