Any holes in securing a HTTP request with HMAC using ONLY the HTTP method and URL?

Question

I want to redirect my users browser using HTTP code 303 to a GET URL that I secure using HMAC. Because the request will come from the users browser, I will not have fore-knowledge of the request headers. So I am generating the HMAC hash using the values of the HTTP method and URL only. For example, the URL I want the browser to do to might be:

GET /download
    ?name=report.pdf
    &include=http://url1
    &include=http://url2

This create report.pdf for me, containing the contents of all the urls specified using the include query param.

My HMAC code will change this URL to be

GET /download
    ?name=report.pdf
    &include=http://url1
    &include=http://url2
    &hmac-algorithm=simple-hmac
    &hmac-signature=idhihhoaiDOICNK

I can issue HTTP 303 to the user using this URL, and the user will get their report.pdf.

As I am not including the request headers in the signature, I am wondering two things:

1) Can a would-be attacker take advantage of the fact that I am not signing the request headers?

2) Is there a better way to achieve what I am trying to do?

Answer 1

When I realised that what I am talking about here is a signed URL, I checked the Amazon Docs and found "REST Authentication Example 3: Query String Authentication Example" in this document: http://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html.

This example is about a signed URL for use through a browser. About signing the headers, the document says:

You know that when the browser makes the GET request, it won't provide a Content-Md5 or a Content-Type header, nor will it set any x-amz- headers, so those parts are all kept empty.

In other words, Amazon leave the headers out of the signature.

Amazon make no mention of potential security holes, so until I hear otherwise (or get hacked :) ), I will assume my approach above is fine.