redirect opt-in?

[solderpunk]

On Wed, Jun 10, 2020 at 12:49:11PM +0200, Petite Abeille wrote:
> Given that user-agents should refrain from initiating network connection on their own, should redirects (3x)  be manually confirmed? With explicit user consent?

The recent change in the spec regarding automatic initiation of network
connections is very clearly limited in scope to the displaying of link
lines, so redirects are not covered by it.

> Perhaps user-agents SHOULD prompt for decisions as to whether to follow a redirect, or MAY follow redirects automatically.  

Bombadillo is an example of a client which always prompts for a decision
on redirects with (to my knowledge) a single exception (maybe this is
still just planned, not implemented - I don't use Bombadillo often, but
Sloum and I talk about client design a lot).  If a client requests a URL
not ending in a slash, and the server maps it to a directory, the server
must issue a redirect which appends the slash to the URL, otherwise
relative links will not work.  Manually confirming *that* every time
will be annoying and serve no good purpose.

AV-98 is slightly more pragmatic.  If can be configured to prompt on
every redirect, but by defaut it automatically follows all redirects
*except* those which involve moving between domains or between
protocols, which are the most suspicious kinds.

Cheers,
Solderpunk