Requirements for user intervention during redirects

[mnot@…]

The redirect status codes define requirements for user intervention; e.g.,

If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

However, this requirement is not often implemented by UAs.

In dealing with this issue, we need to consider the impact of #160.

Raised by Adam Barth at IETF78.

[julian.reschke@…]

Whatever we come up with should be made consistent with the requirements on safe message handling, see ​http://lists.w3.org/Archives/Public/ietf-http-wg/2010JulSep/0246.html.

[mnot@…]

Waiting for resolution of #160.

[julian.reschke@…]

Note on how current UAs prompt, tested using <​http://www.mnot.net/javascript/xmlhttprequest/>:

• DELETE -> 301/302
  • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
  • Internet Explorer 9: no prompt (method preserved)
  • Firefox 7: no prompt (rewritten to GET)
  • Opera 11.5: no prompt (rewritten to GET)
• DELETE -> 303
  • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
  • Internet Explorer 9: no prompt (rewritten to GET)
  • Firefox 7: no prompt (rewritten to GET)
  • Opera 11.5: no prompt (rewritten to GET)
• DELETE -> 307
  • Chrome 14/Safari 5.1: no prompt (method preserved)
  • Internet Explorer 9: no prompt (method preserved)
  • Firefox 7: prompt (method preserved)
  • Opera 11.5: prompt (method preserved)

• POST -> 301/302
  • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
  • Internet Explorer 9: no prompt (rewritten to GET)
  • Firefox 7: no prompt (rewritten to GET)
  • Opera 11.5: no prompt (rewritten to GET)
• POST -> 303
  • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
  • Internet Explorer 9: no prompt (rewritten to GET)
  • Firefox 7: no prompt (rewritten to GET)
  • Opera 11.5: no prompt (rewritten to GET)
• POST -> 307
  • Chrome 14/Safari 5.1: no prompt (method preserved)
  • Internet Explorer 9: no prompt (method preserved)
  • Firefox 7: prompt (method preserved)
  • Opera 11.5: prompt (method preserved)

• PUT -> 301/302
  • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
  • Internet Explorer 9: no prompt (method preserved)
  • Firefox 7: no prompt (rewritten to GET)
  • Opera 11.5: no prompt (rewritten to GET)
• PUT -> 303
  • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
  • Internet Explorer 9: no prompt (method preserved)
  • Firefox 7: no prompt (rewritten to GET)
  • Opera 11.5: no prompt (rewritten to GET)
• PUT -> 307
  • Chrome 14/Safari 5.1: no prompt
  • Internet Explorer 9: no prompt
  • Firefox 7: prompt (method preserved)
  • Opera 11.5: prompt (method preserved)

[mnot@…]

Suggestion is to drop the requirement, perhaps provide a warning about the risks in prose.

[julian.reschke@…]

Proposed patch

[julian.reschke@…]

From [1534]:

Replace normative requirements on redirect on unsafe methods with prose advice (see #238)