As I understand it, Redirect-Origin is something that security-conscious RPs could implement if they want, but isn't required for functionality. So existing form_post RPs would work out of the box. Furthermore, I'd expect a switch from query to post to be a fairly trivial one handled nearly invisibly by most robust HTTP frameworks, whereas a switch to Redirect-Query would require more custom impl. (Yes I assume if/when this spec lands HTTP frameworks would gradually adopt support, but that's a slow process and RPs will be even slower to pull new versions of HTTP frameworks, as it can be a big change.)
On Mon, Jan 5, 2026 at 10:59 AM Dick Hardt <[email protected]> wrote: > I reread your proposal and see my response did not address what you > actually proposed, sorry! > > Your proposal would only work for the RPs that are using > response_mode=form_post -- but for RPs that are expecting a query or > fragment, they will fail if they get a POST. > > Also, if the RP is using response_mode=form_post, sending cookies with > SameSite=Lax is not going to help as they are not expecting that to work > and if they use cookies, they are using SameSite=none. > > The RP would also need to have updates for it to take advantage of the > Redirect-Origin header. > > In short, I don't see how the RP is going to get the benefit unless the RP > makes changes -- or am I missing something? > > On Mon, Jan 5, 2026 at 6:49 PM Nick Watson <[email protected]> wrote: > >> > The RP has to be updated if it is going to look for the response >> parameters in the headers first before looking at the query string or form >> body >> >> With my version of the proposal the RP doesn't need that. The browser >> handles it entirely, and the RP receives a normal-looking form post. >> >> On Mon, Jan 5, 2026 at 8:56 AM Dick Hardt <[email protected]> wrote: >> >>> To close out this thread, I've posted >>> https://datatracker.ietf.org/doc/draft-hardt-httpbis-redirect-headers/ to >>> datatracker and hope the work is adopted by the httpbis WG. >>> >>> On Tue, Dec 23, 2025 at 7:58 PM Dick Hardt <[email protected]> wrote: >>> >>>> >>>> >>>> On Tue, Dec 23, 2025 at 6:25 PM Nick Watson <[email protected]> wrote: >>>> >>>>> For OAuth/OIDC specifically, I'm worried about the amount of churn on >>>>> RPs' having to adopt Redirect-Query. >>>>> >>>> >>>> The RP has to be updated if it is going to look for the response >>>> parameters in the headers first before looking at the query string or form >>>> body. Once the RP is making one change, doing the other one is simple. I >>>> would expect that this would be added to libraries and be invisible to the >>>> long tail of RPs. >>>> >>>> >>>
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
