Ticket #295: 295.diff

File 295.diff, 4.7 KB (added by julian.reschke@…, 11 years ago)

Proposed patch

  • p2-semantics.xml

     
    25892589   resource, or to redirect the recipient to a different location for
    25902590   completion of the request.
    25912591</t>
     2592<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Location"/>
     2593  <x:ref>Location</x:ref> = <x:ref>URI-reference</x:ref>
     2594</artwork></figure>
    25922595<t>
    25932596   For 201 (Created) responses, the Location is the URI of the new resource
    25942597   which was created by the request. For 3xx responses, the location &SHOULD;
     
    25992602   The field value consists of a single URI-reference. When it has the form
    26002603   of a relative reference (<xref target="RFC3986" x:fmt="," x:sec="4.2"/>),
    26012604   the final value is computed by resolving it against the effective request
    2602    URI (<xref target="RFC3986" x:fmt="," x:sec="5"/>).
     2605   URI (<xref target="RFC3986" x:fmt="," x:sec="5"/>). If the original URI, as
     2606   navigated to by the user agent, did contain a fragment identifier, and the
     2607   final value does not, then the original URI's fragment identifier is added
     2608   to the final value.
    26032609</t>
    2604 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Location"/>
    2605   <x:ref>Location</x:ref> = <x:ref>URI-reference</x:ref>
    2606 </artwork></figure>
    26072610<figure>
    2608 <preamble>Examples are:</preamble><!--DO NOT DARE changing the vertical spacing below, it's necessary this way for xml2rfc-->
     2611<preamble>For example, the original URI "http://www.example.org/~tim", combined with a field value given as:</preamble><!--DO NOT DARE changing the vertical spacing below, it's necessary this way for xml2rfc-->
    26092612<artwork type="example">
    2610   Location: http://www.example.org/pub/WWW/People.html#tim
    2611 </artwork></figure><figure><artwork type="example">  Location: /index.html
    2612 </artwork></figure>
     2613  Location: /pub/WWW/People.html#tim
     2614</artwork>
     2615<postamble>would result in a final value of "http://www.example.org/pub/WWW/People.html#tim"</postamble>
     2616</figure>
     2617<figure>
     2618<preamble>An original URI "http://www.example.org/index.html#larry", combined with a field value given as:</preamble><!--DO NOT DARE changing the vertical spacing below, it's necessary this way for xml2rfc-->
     2619<artwork type="example">
     2620  Location: http://www.example.net/index.html
     2621</artwork>
     2622<postamble>would result in a final value of "http://www.example.net/index.html#larry", preserving the original fragment identifier.</postamble>
     2623</figure>
    26132624<x:note>
    26142625  <t>
    26152626    <x:h>Note:</x:h> Some recipients attempt to recover from Location fields
     
    26252636</t>
    26262637<x:note>
    26272638  <t>
    2628     <x:h>Note:</x:h> This specification does not define precedence rules
    2629     for the case where the original URI, as navigated to by the user
    2630     agent, and the Location header field value both contain fragment
    2631     identifiers. Thus be aware that including fragment identifiers might
    2632     inconvenience anyone relying on the semantics of the original URI's
    2633     fragment identifier.
    2634   </t>
    2635 </x:note>
    2636 <x:note>
    2637   <t>
    26382639    <x:h>Note:</x:h> The Content-Location header field (&header-content-location;) differs
    26392640    from Location in that the Content-Location identifies the most specific
    26402641    resource corresponding to the enclosed representation.
     
    32833284</t>
    32843285</section>
    32853286
    3286 <section title="Location Headers and Spoofing" anchor="location.spoofing">
     3287<section title="Location Header Fields and Spoofing" anchor="location.spoofing">
    32873288<t>
    32883289   If a single server supports multiple organizations that do not trust
    32893290   one another, then it &MUST; check the values of Location and Content-Location
     
    32913292   said organizations to make sure that they do not attempt to
    32923293   invalidate resources over which they have no authority.
    32933294</t>
     3295<t>
     3296   Furthermore, appending the fragment identifier from one URI to another
     3297   one obtained from a Location header field might leak confidential
     3298   information to the target server &mdash; although the fragment identifier is
     3299   not transmitted in the final request, it might be visible to the user agent
     3300   through other means, such as scripting).
     3301</t>
    32943302</section>
    32953303
    32963304<section title="Security Considerations for CONNECT">
     
    46574665      "Requirements for user intervention during redirects"
    46584666    </t>
    46594667    <t>
     4668      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/295"/>:
     4669      "Applying original fragment to 'plain' redirected URI"
     4670    </t>
     4671    <t>
    46604672      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/302"/>:
    46614673      "Misplaced text on connection handling in p2"
    46624674    </t>