Ignore:
Timestamp:
Feb 16, 2012, 2:26:09 PM (8 years ago)
Author:
julian.reschke@…
Message:

Location header field: define header field recombination in presence of fragment identifiers, mention security impact, rephrase main definition (see #295)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • draft-ietf-httpbis/latest/p2-semantics.xml

    r1534 r1536  
    25862586  <x:anchor-alias value="Location"/>
    25872587<t>
    2588    The "Location" header field is used to identify a newly created
    2589    resource, or to redirect the recipient to a different location for
    2590    completion of the request.
    2591 </t>
     2588   The "Location" header field &MAY; be sent in responses to refer to
     2589   a specific resource in accordance with the semantics of the status
     2590   code.
     2591</t>
     2592<figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Location"/>
     2593  <x:ref>Location</x:ref> = <x:ref>URI-reference</x:ref>
     2594</artwork></figure>
    25922595<t>
    25932596   For 201 (Created) responses, the Location is the URI of the new resource
     
    26002603   of a relative reference (<xref target="RFC3986" x:fmt="," x:sec="4.2"/>),
    26012604   the final value is computed by resolving it against the effective request
    2602    URI (<xref target="RFC3986" x:fmt="," x:sec="5"/>).
    2603 </t>
    2604 <figure><artwork type="abnf2616"><iref primary="true" item="Grammar" subitem="Location"/>
    2605   <x:ref>Location</x:ref> = <x:ref>URI-reference</x:ref>
    2606 </artwork></figure>
     2605   URI (<xref target="RFC3986" x:fmt="," x:sec="5"/>). If the original URI, as
     2606   navigated to by the user agent, did contain a fragment identifier, and the
     2607   final value does not, then the original URI's fragment identifier is added
     2608   to the final value.
     2609</t>
    26072610<figure>
    2608 <preamble>Examples are:</preamble><!--DO NOT DARE changing the vertical spacing below, it's necessary this way for xml2rfc-->
     2611<preamble>For example, the original URI "http://www.example.org/~tim", combined with a field value given as:</preamble><!--DO NOT DARE changing the vertical spacing below, it's necessary this way for xml2rfc-->
    26092612<artwork type="example">
    2610   Location: http://www.example.org/pub/WWW/People.html#tim
    2611 </artwork></figure><figure><artwork type="example">  Location: /index.html
    2612 </artwork></figure>
     2613  Location: /pub/WWW/People.html#tim
     2614</artwork>
     2615<postamble>would result in a final value of "http://www.example.org/pub/WWW/People.html#tim"</postamble>
     2616</figure>
     2617<figure>
     2618<preamble>An original URI "http://www.example.org/index.html#larry", combined with a field value given as:</preamble><!--DO NOT DARE changing the vertical spacing below, it's necessary this way for xml2rfc-->
     2619<artwork type="example">
     2620  Location: http://www.example.net/index.html
     2621</artwork>
     2622<postamble>would result in a final value of "http://www.example.net/index.html#larry", preserving the original fragment identifier.</postamble>
     2623</figure>
    26132624<x:note>
    26142625  <t>
     
    26242635   created resource.
    26252636</t>
    2626 <x:note>
    2627   <t>
    2628     <x:h>Note:</x:h> This specification does not define precedence rules
    2629     for the case where the original URI, as navigated to by the user
    2630     agent, and the Location header field value both contain fragment
    2631     identifiers. Thus be aware that including fragment identifiers might
    2632     inconvenience anyone relying on the semantics of the original URI's
    2633     fragment identifier.
    2634   </t>
    2635 </x:note>
    26362637<x:note>
    26372638  <t>
     
    32843285</section>
    32853286
    3286 <section title="Location Headers and Spoofing" anchor="location.spoofing">
     3287<section title="Location Header Fields: Spoofing and Information Leakage" anchor="location.spoofing-leakage">
    32873288<t>
    32883289   If a single server supports multiple organizations that do not trust
     
    32913292   said organizations to make sure that they do not attempt to
    32923293   invalidate resources over which they have no authority.
     3294</t>
     3295<t>
     3296   Furthermore, appending the fragment identifier from one URI to another
     3297   one obtained from a Location header field might leak confidential
     3298   information to the target server &mdash; although the fragment identifier is
     3299   not transmitted in the final request, it might be visible to the user agent
     3300   through other means, such as scripting.
    32933301</t>
    32943302</section>
     
    46584666    </t>
    46594667    <t>
     4668      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/295"/>:
     4669      "Applying original fragment to 'plain' redirected URI"
     4670    </t>
     4671    <t>
    46604672      <eref target="http://tools.ietf.org/wg/httpbis/trac/ticket/302"/>:
    46614673      "Misplaced text on connection handling in p2"
Note: See TracChangeset for help on using the changeset viewer.