* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #10 (closed design: fixed)

Opened 7 years ago

Last modified 4 years ago

Safe Methods vs Redirection

Reported by: mnot@pobox.com Owned by:
Priority: urgent Milestone: 09
Component: p2-semantics Severity: Active WG Document
Keywords: Cc:
Origin: http://lists.w3.org/Archives/Public/ietf-http-wg-old/2001JanApr/0031.html

Description

Section 10.3.2 (301 Moved Permanently) contains the paragraph

    If the 301 status code is received in response to a request other
        than GET or HEAD, the user agent MUST NOT automatically redirect the
    request unless it can be confirmed by the user, since this might
    change the conditions under which the request was issued.

which fails to consider that there are many other request methods that are safe to automatically redirect, and further that the user agent is able to make that determination based on the request method semantics. In particular, the OPTIONS method is always safe to automatically redirect. Unfortunately, the paragraph was written long before there was OPTIONS, and was never updated to reflect the extensibility of methods. The same problem paragraph is found in sections 10.3.3 and 10.3.8.

The above should be replaced with

    If the 301 status code is received in response to a request method
        that is known to be "safe", as defined in section 9.1.1, then the
        request MAY be automatically redirected by the user agent without
        confirmation.  Otherwise, the user agent MUST NOT automatically
    redirect the request unless it is confirmed by the user, since the
    new URI might change the conditions under which the request was issued.

along with similar changes for sections 10.3.3 and 10.3.8. It would also be helpful for each of the method definition sections to specifically define whether or not the method is safe. OPTIONS, GET, and HEAD are all safe in RFC 2616. HTTP extensions like WebDAV define additional safe methods.

Change History

comment:1 Changed 7 years ago by fielding@gbiv.com

  • Status changed from new to closed
  • version set to 00
  • Resolution set to fixed
  • Milestone set to 01

Fixed in [88]

comment:2 Changed 7 years ago by mnot@pobox.com

  • version changed from 00 to d00

comment:3 Changed 6 years ago by julian.reschke@gmx.de

  • Component set to p2-semantics

comment:4 Changed 6 years ago by julian.reschke@gmx.de

  • Origin set to http://lists.w3.org/Archives/Public/ietf-http-wg-old/2001JanApr/0031.html

comment:5 Changed 5 years ago by julian.reschke@gmx.de

  • Priority set to urgent
  • Status changed from closed to reopened
  • Resolution fixed deleted
  • Severity set to Active WG Document
  • Milestone changed from 01 to 09

Maciej Stachowiak points out that we did not fix this everywhere (http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0170.html), the introduction to 3xx still says:

"The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD."

comment:6 Changed 5 years ago by julian.reschke@gmx.de

From [759]:

Replace "GET or HEAD" by "safe method" in intro to 3xx codes (see #10)

comment:7 Changed 5 years ago by julian.reschke@gmx.de

From [760]:

Replace "GET or HEAD" by "safe method" in intro to 3xx codes (fix typo) (see #10)

comment:8 Changed 4 years ago by mnot@pobox.com

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.