csarven
commented
9 years ago Sounds good. But in practice, it is going to be pretty much up to whatever comes out of the box in the library the implementations are using.
Closed aaronpk closed 9 years ago
csarven
commented
9 years ago Sounds good. But in practice, it is going to be pretty much up to whatever comes out of the box in the library the implementations are using.
aaronpk
commented
9 years ago Yes, which is why I think it's best left as a brief mention rather than a specific hard-coded requirement.
wilkie
commented
9 years ago I agree. Also many net implementations are low-level enough that you explicitly follow redirects or can specify a limit. You should certainly put a recommendation in to let people know that this is a concern so they can double-check the library they are using.
aaronpk
commented
9 years ago On second thought, there isn't actually a good reason to require the receiver to follow redirects on target. May be better to not require receivers to follow redirects to avoid opening up new security issues at all.
aaronpk
commented
9 years ago Updated the spec to not imply that receivers are required to follow redirects on the target, and should limit the number of redirects they follow on source. https://indiewebcamp.com/wiki/index.php?title=Webmention&diff=23494&oldid=23442
When checking if target is a redirect, there is potentially no end to the 301 redirect chain. Browsers have a limit where they'll stop following redirects after N. While specifying N is not a good idea, the spec should at least have a note about following redirects up to a chosen limit, and possibly recommending something sane such as the default that browsers follow.