[Openid-specs-fapi] Issue #418: 303 should be used (openid/fapi)

Travis Spencer issues-reply at bitbucket.org
Fri May 28 08:38:06 UTC 2021


New issue 418: 303 should be used
https://bitbucket.org/openid/fapi/issues/418/303-should-be-used

Travis Spencer:

Section 2.2.1 point 18 says:

> shall not use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally \(see section 4.11 of \[[I-D.ietf-oauth-security-topics](https://openid.net/specs/fapi-2_0-baseline-00.html#I-D.ietf-oauth-security-topics)\]\)

This should be updated, IMO, to:

> shall not use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally \(see section 4.11 of \[I-D.ietf-oauth-security-topics\]\); **should use the HTTP  303 status code when redirecting the user agent using status codes.**

Rationale:

> The only HTTP redirect code unambiguously defined to drop the the body of an HTTP POST request is a 303. 

[https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/](https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/)


More information about the Openid-specs-fapi mailing list