Message 154940 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	orsenthil
Recipients	crustymonkey, eric.araujo, orsenthil
Date	2012-03-05.10:10:52
SpamBayes Score	9.3072134e-07
Marked as misclassified	No
Message-id	<1330942255.5.0.389627781673.issue14144@psf.upfronthosting.co.za>
In-reply-to

Content
Hi Jay & Éric, I understand your points and providing an extra argument seems like an idea that could be useful to circumvent , what you see as a problem. The RFC section states that - "The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD". By this, I understand, RFC means, for the POST data, the user is made aware and is conscious of the redirect which is happening and is "permitting" to POST the data to new location. The interaction happens like this: User: Post to /a Browser: Posts to /a and Server says oh /a is /b Browser: Hello user! Server says /a is now /b. Shall I post to /b? User: Yes, you may. This is different from what you are saying, which is like with having an option in the browser settings which will enable following redirect on POST. User: Post to /a (and if there is redirect follow that post to the corresponding site). Browser: Posts to /a and Server says /a is /b. Browser: Posts to /b But do you know if any such browser setting exist? No. Browsers for good reasons do not provide such a setting and they prompt user if they want to follow the redirect with POST. In a similar way, developers using urllib as library in their applications can obtain the redirected URL and then POST to the redirected URL. That would be equivalent behavior. Providing an automatic follow redirect on POST could serious security issue, both for clients/libraries and browser. Even with a word of caution, it has a high chance of being misused. So, I am -1 on this proposal. I hope you understand my argument. I had thought about this earlier a for a similar issue and I remember we made the decision to drop the data following the redirected POST. If my argument is not convincing enough, then I think, it would be good idea to bring this bug to discussion on python-dev or web-sig and provide some concrete real world examples. That could bring some use cases for/against this issue and might be helpful. Thanks, Senthil

Hi Jay & Éric,

I understand your points and providing an extra argument seems like an idea that could be useful to circumvent , what you see as a problem.

The RFC section states that -

"The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD".

By this, I understand, RFC means, for the POST data, the user is made aware and is conscious of the redirect which is happening and is "permitting" to POST the data to new location.

The interaction happens like this:

User: Post to /a
Browser: Posts to /a and Server says oh /a is /b
Browser: Hello user! Server says /a is now /b. Shall I post to /b?
User: Yes, you may.

This is different from what you are saying, which is like with having an option in the browser settings which will enable following redirect on POST.

User: Post to /a (and if there is redirect follow that post to the corresponding site).
Browser: Posts to /a and Server says /a is /b.
Browser: Posts to /b

But do you know if any such browser setting exist? No. Browsers for good reasons do not provide such a setting and they prompt user if they want to follow the redirect with POST.

In a similar way, developers using urllib as library in their applications can obtain the redirected URL and then POST to the redirected URL. That would be equivalent behavior.

Providing an automatic follow redirect on POST could serious security issue, both for clients/libraries and browser. Even with a word of caution, it has a high chance of being misused. So, I am -1 on this proposal.

I hope you understand my argument. I had thought about this earlier a for a similar issue and I remember we made the decision to drop the data following the redirected POST. If my argument is not convincing enough, then I think, it would be good idea to bring this bug to discussion on python-dev or web-sig and provide some concrete real world examples. That could bring some use cases for/against this issue and might be helpful.

Thanks,
Senthil

History
Date	User	Action	Args
2012-03-05 10:10:55	orsenthil	set	recipients: + orsenthil, eric.araujo, crustymonkey
2012-03-05 10:10:55	orsenthil	set	messageid: <1330942255.5.0.389627781673.issue14144@psf.upfronthosting.co.za>
2012-03-05 10:10:54	orsenthil	link	issue14144 messages
2012-03-05 10:10:52	orsenthil	create