[Openid-specs-fapi] Issue #418: 303 should be used (openid/fapi)
Travis Spencer
issues-reply at bitbucket.org
Fri May 28 08:38:06 UTC 2021
New issue 418: 303 should be used
https://bitbucket.org/openid/fapi/issues/418/303-should-be-used
Travis Spencer:
Section 2.2.1 point 18 says:
> shall not use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally \(see section 4.11 of \[[I-D.ietf-oauth-security-topics](https://openid.net/specs/fapi-2_0-baseline-00.html#I-D.ietf-oauth-security-topics)\]\)
This should be updated, IMO, to:
> shall not use the HTTP 307 status code when redirecting a request that contains user credentials to avoid forwarding the credentials to a third party accidentally \(see section 4.11 of \[I-D.ietf-oauth-security-topics\]\); **should use the HTTP 303 status code when redirecting the user agent using status codes.**
Rationale:
> The only HTTP redirect code unambiguously defined to drop the the body of an HTTP POST request is a 303.
[https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/](https://blog.acolyer.org/2016/11/07/a-comprehensive-formal-security-analysis-of-oauth-2-0/)
More information about the Openid-specs-fapi
mailing list