303 should be used

Comments (10)

1. 

   Travis Spencer reporter

   • changed component to FAPI2: Baseline

   • 2021-05-28T08:57:54+00:00
2. 

   Filip Skokan

   307 is the only 3xx status known to relay the body of a request after IIRC modern browsers implement 302 handling as if it was a 303 already.

   I believe the language should reflect the security-topics BCP - if there’s the need it would be updated there first.

   • 2021-05-28T13:28:27+00:00
3. 

   Travis Spencer reporter

   So, a financial-grade security specification should only echo some other security BCP and not define anything additional?

   Are browsers the only user agent the spec cares about? Why rely on an ad-hoc standard based on common browser behavior?

   • 2021-05-28T14:44:55+00:00
4. 

   Daniel Fett

   After thinking a bit more about this, maybe FAPI is the right place to give more concrete advice here. After all, we’re doing that in many places of the spec.

   • 2021-06-02T14:50:31+00:00
5. 

   Takahiko Kawasaki

   If FAPI 2.0 recommends specific HTTP status codes (e.g. 303) instead of prohibiting some (i.e. 307), it also should be taken into consideration that the examples in RFC 6749 are using 302.

   • 2021-06-12T20:20:46+00:00
6. 

   Dave Tonge

   @daniel @taka what do you think of Travis' suggested wording?

   • 2021-06-16T14:11:45+00:00
7. 

   Takahiko Kawasaki

   I wouldn’t disagree if asked. (I don’t have enough expertise in the area, sorry.)

   • 2021-06-16T14:24:57+00:00
8. 

   Dave Tonge

   https://bitbucket.org/openid/fapi/pull-requests/278/add-additional-clause-about-redirects

   • 2021-06-23T13:54:39+00:00
9. 

   Dave Tonge

   • changed status to resolved

   PR merged

   • 2021-06-23T16:14:44+00:00
10. 

    Nat Sakimura

    • changed component to FAPI2: Security Profile

    • 2022-12-14T15:35:24+00:00
11. Log in to comment