From 61bbe4c3d1349bdc34801e502e6b34a53e39145d Mon Sep 17 00:00:00 2001 From: Ben Francis Date: Wed, 17 Aug 2022 14:25:42 +0100 Subject: [PATCH] Refine assertions around 3xx redirect responses - closes #246 --- index.html | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/index.html b/index.html index 3abf847..23e23e9 100644 --- a/index.html +++ b/index.html @@ -1797,10 +1797,11 @@

Errors

- A Web Thing MUST NOT issue any 3xx status codes. + A Web Thing MAY respond with 3xx status codes for the purposes of + redirection, caching or authentication. - A Consumer MAY treat all 3xx codes as errors that do not change the status or behavior - of the consumer. + A Web Thing MUST NOT respond with a 300 Multiple Choices + status code.

@@ -1810,18 +1811,6 @@

Errors

Consumers MAY interpret other valid HTTP error codes as a generic 4xx or 5xx error with no special defined behaviour.

-

- - TODO: If we define the finite set of error responses as above then we - should also define what a Consumer should do if it receives a 3xx - redirect type response. - -

- It turns out 3xx redirection codes are used as part of some OAuth2 flows, so it may be - in appropriate to disallow them generally. See the "Security Bootstrapping" section of - WoT Discovery. -

-

If an HTTP error response contains a body, the content of that body