* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Ticket #238 (closed design: fixed)

Opened 4 years ago

Last modified 2 years ago

Requirements for user intervention during redirects

Reported by: mnot@pobox.com Owned by:
Priority: normal Milestone: 19
Component: p2-semantics Severity: Active WG Document
Keywords: Cc:
Origin:

Description

The redirect status codes define requirements for user intervention; e.g.,

If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

However, this requirement is not often implemented by UAs.

In dealing with this issue, we need to consider the impact of #160.

Raised by Adam Barth at IETF78.

Attachments

238.diff (3.4 KB) - added by julian.reschke@gmx.de 3 years ago.
Proposed patch

Change History

comment:1 Changed 4 years ago by julian.reschke@gmx.de

Whatever we come up with should be made consistent with the requirements on safe message handling, see http://lists.w3.org/Archives/Public/ietf-http-wg/2010JulSep/0246.html.

comment:2 Changed 3 years ago by mnot@pobox.com

  • Priority changed from normal to blocked

Waiting for resolution of #160.

comment:3 Changed 3 years ago by julian.reschke@gmx.de

Note on how current UAs prompt, tested using <http://www.mnot.net/javascript/xmlhttprequest/>:

  • DELETE -> 301/302
    • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
    • Internet Explorer 9: no prompt (method preserved)
    • Firefox 7: no prompt (rewritten to GET)
    • Opera 11.5: no prompt (rewritten to GET)
  • DELETE -> 303
    • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
    • Internet Explorer 9: no prompt (rewritten to GET)
    • Firefox 7: no prompt (rewritten to GET)
    • Opera 11.5: no prompt (rewritten to GET)
  • DELETE -> 307
    • Chrome 14/Safari 5.1: no prompt (method preserved)
    • Internet Explorer 9: no prompt (method preserved)
    • Firefox 7: prompt (method preserved)
    • Opera 11.5: prompt (method preserved)
  • POST -> 301/302
    • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
    • Internet Explorer 9: no prompt (rewritten to GET)
    • Firefox 7: no prompt (rewritten to GET)
    • Opera 11.5: no prompt (rewritten to GET)
  • POST -> 303
    • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
    • Internet Explorer 9: no prompt (rewritten to GET)
    • Firefox 7: no prompt (rewritten to GET)
    • Opera 11.5: no prompt (rewritten to GET)
  • POST -> 307
    • Chrome 14/Safari 5.1: no prompt (method preserved)
    • Internet Explorer 9: no prompt (method preserved)
    • Firefox 7: prompt (method preserved)
    • Opera 11.5: prompt (method preserved)
  • PUT -> 301/302
    • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
    • Internet Explorer 9: no prompt (method preserved)
    • Firefox 7: no prompt (rewritten to GET)
    • Opera 11.5: no prompt (rewritten to GET)
  • PUT -> 303
    • Chrome 14/Safari 5.1: no prompt (rewritten to GET)
    • Internet Explorer 9: no prompt (method preserved)
    • Firefox 7: no prompt (rewritten to GET)
    • Opera 11.5: no prompt (rewritten to GET)
  • PUT -> 307
    • Chrome 14/Safari 5.1: no prompt
    • Internet Explorer 9: no prompt
    • Firefox 7: prompt (method preserved)
    • Opera 11.5: prompt (method preserved)

comment:4 Changed 3 years ago by mnot@pobox.com

  • Priority changed from blocked to normal

comment:5 Changed 3 years ago by mnot@pobox.com

Suggestion is to drop the requirement, perhaps provide a warning about the risks in prose.

Changed 3 years ago by julian.reschke@gmx.de

Proposed patch

comment:6 Changed 3 years ago by julian.reschke@gmx.de

From [1534]:

Replace normative requirements on redirect on unsafe methods with prose advice (see #238)

comment:7 Changed 3 years ago by julian.reschke@gmx.de

  • Status changed from new to closed
  • Resolution set to incorporated
  • Milestone changed from unassigned to 19

comment:8 Changed 2 years ago by mnot@pobox.com

  • Status changed from closed to reopened
  • Resolution incorporated deleted

comment:9 Changed 2 years ago by mnot@pobox.com

  • Status changed from reopened to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.