Re: LYNX-DEV two curiosities from IETF HTTP session.

[Foteos Macrides]

Yaron Goland <address@hidden> wrote:
>I doubt any commercial browser will implement 305 without some very serious
>security provided to assure that the proxy asking for the one time redirect
>is going to get it. I would suggest that this problem needs to be dealt with
>in the large 305/306 context, in a stand alone spec, and that the draft
>standard for HTTP should simply state that 305 has been deprecated and
>SHOULD NOT be implemented.

        You apparently haven't yet grasped the changes Jim already has
made for 305 in Rev-01.  The 305 can *only* be sent by an origin server.
Deployed proxies will pass it through to the browser, as they do for
300, 301, 302, 303 and 307.  Josh's 305/306 draft has been dropped
from Rev-01, with expectation that he (and Ari) will generate a new,
306-only draft (complementary to a revised OPTIONS draft).  I suppose
a proxy, if already being used by the browser, could (should?) act on
the 305, and there shouldn't be a security problem with that if the
305 is to be handled always as a GET.  If unsafe methods are to be
retained with 305, instead of postponing that functionality to a new
306 proposal, then yes, it would be better to drop 305.  But 305 would
be useful if it were specified as presently in Rev-01 with the addition
of a sentence that GET always should be used, and who knows when, if
ever, the security/privacy problems with 306 will be solved.

                                Fote

=========================================================================
 Foteos Macrides            Worcester Foundation for Biomedical Research
 address@hidden         222 Maple Avenue, Shrewsbury, MA 01545
=========================================================================