Add security consideration for maximum redirect limit

per 18f39e4#commitcomment-148140000
swicg · Oct 21, 2024 · 04df090 · 04df090 · ThisIsMissEm · Oct 21, 2024
1 parent 18f39e4
commit 04df090
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/index.html b/index.html
@@ -53,7 +53,7 @@ <h3>Forward discovery of an actor document given a WebFinger address</h3>
         <li>Construct an <code>acct:</code> URI of the form <code>acct:user@domain</code> (as defined in [[RFC7565]])</li>
         <li>Make an HTTP GET request to that hostname's WebFinger well-known endpoint, using the <code>acct:</code> URI as the value of the <code>resource</code> query parameter (as described in [[RFC7033]])</li>
       </ol>
-      <p>For example, the WebFinger address <code>[email protected]</code> can be resolved as a resource by making an HTTP GET request for <code>https://social.example/.well-known/webfinger?resource=acct:[email protected]</code> (which is <code>https://social.example/.well-known/webfinger?resource=acct:alyssa%40social.example</code> when percent-encoded). This request MAY result in an HTTP 3xx redirect, in which case the redirect MUST be followed to the <code>Location</code> header's value, which MUST be an <code>https:</code> URI per [[RFC7033]]. The final request MUST return a JRD (JSON Resource Descriptor, as defined in [[RFC6415]]) with <code>application/jrd+json</code> as the content type (assuming no specified <code>Accept</code> header).</p>
+      <p>For example, the WebFinger address <code>[email protected]</code> can be resolved as a resource by making an HTTP GET request for <code>https://social.example/.well-known/webfinger?resource=acct:[email protected]</code> (which is <code>https://social.example/.well-known/webfinger?resource=acct:alyssa%40social.example</code> when percent-encoded). This request MAY result in an HTTP 3xx redirect, in which case the redirect MUST be followed to the <code>Location</code> header's value, which MUST be an <code>https:</code> URI per [[RFC7033]]. (Subsequent redirects SHOULD be followed, up until a maximum redirect limit at the discretion of the requester.) The final request MUST return a JRD (JSON Resource Descriptor, as defined in [[RFC6415]]) with <code>application/jrd+json</code> as the content type (assuming no specified <code>Accept</code> header).</p>
       <p>The WebFinger request and response may look like this:</p>
 <pre class="http example" title="Sample WebFinger request and JRD response">
 GET /.well-known/webfinger?resource=acct:alyssa%40social.example HTTP/1.1
@@ -282,6 +282,7 @@ <h3>Other uses of WebFinger</h3>
   <section class="informative" id="security">
     <h2>Security Considerations</h2>
     <p>Using WebFinger can provide proof of existence of an associated actor document, as well as make it easier to discover that associated actor document; following this, an actor's inbox can be likewise discovered, and spam or other unwanted messages can be delivered to that actor's inbox. It may be desirable for some systems to not publicly expose an actor's existence and instead rely on the user manually entering their actor's HTTPS URI, or maintaining a "contact list" of bookmarked actors or resources. For such systems, the use of WebFinger is not advisable.</p>
+    <p>WebFinger allows for the lookup request to redirect; this primarily allows a web host or origin to defer or delegate their WebFinger lookups to a separate WebFinger service, but it can also create an issue when there are multiple redirects. For this reason, anyone making a WebFinger request should take care to limit the maximum number of redirects that they follow.</p>
   </section>
   <section class="informative" id="future">
     <h2>Future Enhancements</h2>