Opened 15 years ago
Closed 13 years ago
#10 closed design (fixed)
Safe Methods vs Redirection
Reported by: | mnot@… | Owned by: | |
---|---|---|---|
Priority: | urgent | Milestone: | 09 |
Component: | p2-semantics | Severity: | Active WG Document |
Keywords: | Cc: |
Description
Section 10.3.2 (301 Moved Permanently) contains the paragraph
If the 301 status code is received in response to a request other
than GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued.
which fails to consider that there are many other request methods that are safe to automatically redirect, and further that the user agent is able to make that determination based on the request method semantics. In particular, the OPTIONS method is always safe to automatically redirect. Unfortunately, the paragraph was written long before there was OPTIONS, and was never updated to reflect the extensibility of methods. The same problem paragraph is found in sections 10.3.3 and 10.3.8.
The above should be replaced with
If the 301 status code is received in response to a request method
that is known to be "safe", as defined in section 9.1.1, then the
request MAY be automatically redirected by the user agent without
confirmation. Otherwise, the user agent MUST NOT automatically
redirect the request unless it is confirmed by the user, since the
new URI might change the conditions under which the request was issued.
along with similar changes for sections 10.3.3 and 10.3.8. It would also be helpful for each of the method definition sections to specifically define whether or not the method is safe. OPTIONS, GET, and HEAD are all safe in RFC 2616. HTTP extensions like WebDAV define additional safe methods.
Change History (8)
comment:1 Changed 15 years ago by fielding@…
- Milestone set to 01
- Resolution set to fixed
- Status changed from new to closed
- version set to 00
comment:2 Changed 15 years ago by mnot@…
- version changed from 00 to d00
comment:3 Changed 14 years ago by julian.reschke@…
- Component set to p2-semantics
comment:4 Changed 14 years ago by julian.reschke@…
- origin set to http://lists.w3.org/Archives/Public/ietf-http-wg-old/2001JanApr/0031.html
comment:5 Changed 13 years ago by julian.reschke@…
- Milestone changed from 01 to 09
- Priority set to urgent
- Resolution fixed deleted
- Severity set to Active WG Document
- Status changed from closed to reopened
Maciej Stachowiak points out that we did not fix this everywhere (http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0170.html), the introduction to 3xx still says:
"The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD."
comment:6 Changed 13 years ago by julian.reschke@…
comment:7 Changed 13 years ago by julian.reschke@…
comment:8 Changed 13 years ago by mnot@…
- Resolution set to fixed
- Status changed from reopened to closed
Fixed in [88]