On Mon, Nov 24, 2008 at 8:16 PM, Hans Granqvist <[EMAIL PROTECTED]> wrote:
> Is there anything other than pragmatism that makes the temporary 302'sso > prolific? I see it in a bunch of places where permanent 301 redirects > would seemingly make more sense. > > Also: > > Auto redirects as a side-effect to POSTs are forbidden in HTTP 1.1, but > that > still is what we have to do in protocol dancers like OAuth and OpenID. > > I could be confused, but it seems there is (no easy) way to implement any > dancing protocol without breaking HTTP 1.1! Do I miss something obvious? > > I like pragmatism :) but how would OAuth implementations fare if browser > manufacturers started enforcing this aspect of the HTTP standard? I guess > the user experience could deteriorate quite badly? > Surely browsers never do OAuth, so it would make no difference? In the case of the thing that actually _does_ do OAuth, there's (in some sense) no "user" to be notified about the redirect. Certainly this is true if the user is offline when OAuth is used. If it is used in order to show the user a web page, then, yes, there's a user, so perhaps the redirect could be handled interactively - but does it make any sense? For a start, the user might not be the one that owns the OAuth that is being used. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
