Opened 13 years ago
Closed 11 years ago
#238 closed design (fixed)
Requirements for user intervention during redirects
Reported by: | mnot@… | Owned by: | |
---|---|---|---|
Priority: | normal | Milestone: | 19 |
Component: | p2-semantics | Severity: | Active WG Document |
Keywords: | Cc: |
Description
The redirect status codes define requirements for user intervention; e.g.,
If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
However, this requirement is not often implemented by UAs.
In dealing with this issue, we need to consider the impact of #160.
Raised by Adam Barth at IETF78.
Attachments (1)
Change History (10)
comment:1 Changed 12 years ago by julian.reschke@…
comment:2 Changed 12 years ago by mnot@…
- Priority changed from normal to blocked
Waiting for resolution of #160.
comment:3 Changed 11 years ago by julian.reschke@…
Note on how current UAs prompt, tested using <http://www.mnot.net/javascript/xmlhttprequest/>:
- DELETE -> 301/302
- Chrome 14/Safari 5.1: no prompt (rewritten to GET)
- Internet Explorer 9: no prompt (method preserved)
- Firefox 7: no prompt (rewritten to GET)
- Opera 11.5: no prompt (rewritten to GET)
- DELETE -> 303
- Chrome 14/Safari 5.1: no prompt (rewritten to GET)
- Internet Explorer 9: no prompt (rewritten to GET)
- Firefox 7: no prompt (rewritten to GET)
- Opera 11.5: no prompt (rewritten to GET)
- DELETE -> 307
- Chrome 14/Safari 5.1: no prompt (method preserved)
- Internet Explorer 9: no prompt (method preserved)
- Firefox 7: prompt (method preserved)
- Opera 11.5: prompt (method preserved)
- POST -> 301/302
- Chrome 14/Safari 5.1: no prompt (rewritten to GET)
- Internet Explorer 9: no prompt (rewritten to GET)
- Firefox 7: no prompt (rewritten to GET)
- Opera 11.5: no prompt (rewritten to GET)
- POST -> 303
- Chrome 14/Safari 5.1: no prompt (rewritten to GET)
- Internet Explorer 9: no prompt (rewritten to GET)
- Firefox 7: no prompt (rewritten to GET)
- Opera 11.5: no prompt (rewritten to GET)
- POST -> 307
- Chrome 14/Safari 5.1: no prompt (method preserved)
- Internet Explorer 9: no prompt (method preserved)
- Firefox 7: prompt (method preserved)
- Opera 11.5: prompt (method preserved)
- PUT -> 301/302
- Chrome 14/Safari 5.1: no prompt (rewritten to GET)
- Internet Explorer 9: no prompt (method preserved)
- Firefox 7: no prompt (rewritten to GET)
- Opera 11.5: no prompt (rewritten to GET)
- PUT -> 303
- Chrome 14/Safari 5.1: no prompt (rewritten to GET)
- Internet Explorer 9: no prompt (method preserved)
- Firefox 7: no prompt (rewritten to GET)
- Opera 11.5: no prompt (rewritten to GET)
- PUT -> 307
- Chrome 14/Safari 5.1: no prompt
- Internet Explorer 9: no prompt
- Firefox 7: prompt (method preserved)
- Opera 11.5: prompt (method preserved)
comment:4 Changed 11 years ago by mnot@…
- Priority changed from blocked to normal
comment:5 Changed 11 years ago by mnot@…
Suggestion is to drop the requirement, perhaps provide a warning about the risks in prose.
comment:6 Changed 11 years ago by julian.reschke@…
comment:7 Changed 11 years ago by julian.reschke@…
- Milestone changed from unassigned to 19
- Resolution set to incorporated
- Status changed from new to closed
comment:8 Changed 11 years ago by mnot@…
- Resolution incorporated deleted
- Status changed from closed to reopened
comment:9 Changed 11 years ago by mnot@…
- Resolution set to fixed
- Status changed from reopened to closed
Whatever we come up with should be made consistent with the requirements on safe message handling, see http://lists.w3.org/Archives/Public/ietf-http-wg/2010JulSep/0246.html.