RE: LYNX-DEV two curiosities from IETF HTTP session.

[Josh Cohen]

> -----Original Message-----
> From: Foteos Macrides [SMTP:address@hidden
> Sent: Tuesday, December 09, 1997 7:02 AM
> To:   address@hidden
> Cc:   address@hidden
> Subject:      Re: LYNX-DEV two curiosities from IETF HTTP session.
> 
> Al Gilman <address@hidden> wrote:
> >Two issues came up in today's session of the HTTP 1.1 WG that
> >left me curious.  Not that any major decisions hang on the
> >answers, but:
> >
> >Lynx came up when the fellow from MicroSoft quipped regarding the
> >305 proxy redirection message "Lynx has implemented it."
> >
> >Later it appeared he meant to be humorous, as it was left as an
> >open question.
> >
> >The Conventional Wisdom in the meeting is that 305 is broken and
> >306 didn't fix it.  The group is headed in the direction that
> >this function will not be present in the "Draft Standard" version
> >of 1.1.
> >
> >Going, going...
        [Joshua Cohen]  
        Well, I guess its time for me to fess up.
        Im the guy who "quipped".  Im also the guy who wrote the 305/306
draft to specify 
        the 305 and 306 so that they are usable.
        Unfortunately, we simply couldnt resolve the security implications
in time
        and leaving them in the http/1.1 draft puts the entire protocol at
risk from
        a process point of view.
        Before anyone jumps at dont put process over function, if we had a
good
        resolution, Id be pushing for it in the core protocol.  We dont, and
until
        we do, it needs to wait..
>  
>       The specs for 305 in the most current HTTP/1.1 draft in
> effect describe Lynx's implementation, years ago, but not
> completely.  Lynx's implementation:
> 
        [Joshua Cohen]  [--snipped--] 
>       If 306 is revised, it would be better to treat that as
> a new status, not a revision of 305, and have 306 based on only a
> Set-Proxy: header, with no Location header.  Browsers which do not
> implement it thus will treat it as 300, and should show the body
> by virtue of no Location header being present.
> 
>       Whether or not the "guys at MicroSoft" as yet grasp the
> occassional uses to which 304, 305, and 307 might be put, they
> nonetheless can be useful ocassionally (that statement was intended
> to be humorous &#1;).  But 306 does need more work before it's
> intended uses can be achieved.
> 
        [Joshua Cohen]  This "guy at microsoft" gets it, and I beleive
        that most of my colleagues do as well.   As I said earlier, the
        305-306 draft (which was supposed to roll into http/1.1)
        was my doing. 

        Please dont ascribe any higher meaning to the fact that
        a "microsoft" guy spoke about temporarily holding
        305/306 from the http/1.1 draft.  Im still enthusiastic
        about the 305/306 functionality but until
        we can resolve the very real security implications
        it is prudent to withold it from the draft..


        Josh Cohen <address@hidden>
>