Opened 12 years ago

Closed 10 years ago

#10 closed design (fixed)

Safe Methods vs Redirection

Reported by: mnot@… Owned by:
Priority: urgent Milestone: 09
Component: p2-semantics Severity: Active WG Document
Keywords: Cc:

Description

Section 10.3.2 (301 Moved Permanently) contains the paragraph

    If the 301 status code is received in response to a request other
        than GET or HEAD, the user agent MUST NOT automatically redirect the
    request unless it can be confirmed by the user, since this might
    change the conditions under which the request was issued.

which fails to consider that there are many other request methods that are safe to automatically redirect, and further that the user agent is able to make that determination based on the request method semantics. In particular, the OPTIONS method is always safe to automatically redirect. Unfortunately, the paragraph was written long before there was OPTIONS, and was never updated to reflect the extensibility of methods. The same problem paragraph is found in sections 10.3.3 and 10.3.8.

The above should be replaced with

    If the 301 status code is received in response to a request method
        that is known to be "safe", as defined in section 9.1.1, then the
        request MAY be automatically redirected by the user agent without
        confirmation.  Otherwise, the user agent MUST NOT automatically
    redirect the request unless it is confirmed by the user, since the
    new URI might change the conditions under which the request was issued.

along with similar changes for sections 10.3.3 and 10.3.8. It would also be helpful for each of the method definition sections to specifically define whether or not the method is safe. OPTIONS, GET, and HEAD are all safe in RFC 2616. HTTP extensions like WebDAV define additional safe methods.

Change History (8)

comment:1 Changed 12 years ago by fielding@…

  • Milestone set to 01
  • Resolution set to fixed
  • Status changed from new to closed
  • version set to 00

Fixed in [88]

comment:2 Changed 12 years ago by mnot@…

  • version changed from 00 to d00

comment:3 Changed 11 years ago by julian.reschke@…

  • Component set to p2-semantics

comment:4 Changed 11 years ago by julian.reschke@…

  • origin set to http://lists.w3.org/Archives/Public/ietf-http-wg-old/2001JanApr/0031.html

comment:5 Changed 10 years ago by julian.reschke@…

  • Milestone changed from 01 to 09
  • Priority set to urgent
  • Resolution fixed deleted
  • Severity set to Active WG Document
  • Status changed from closed to reopened

Maciej Stachowiak points out that we did not fix this everywhere (http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0170.html), the introduction to 3xx still says:

"The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD."

comment:6 Changed 10 years ago by julian.reschke@…

From [759]:

Replace "GET or HEAD" by "safe method" in intro to 3xx codes (see #10)

comment:7 Changed 10 years ago by julian.reschke@…

From [760]:

Replace "GET or HEAD" by "safe method" in intro to 3xx codes (fix typo) (see #10)

comment:8 Changed 10 years ago by mnot@…

  • Resolution set to fixed
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.