W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 2001

RFC 2616 errata: overspecified restriction on automatic redirects

From: Roy T. Fielding <fielding@ebuilt.com>
Date: Sat, 3 Mar 2001 05:50:52 -0800
To: http-wg@cuckoo.hpl.hp.com
Message-ID: <20010303055052.A1007@waka.ebuilt.net>
Sections 10.3.2 (301 Moved Permanently) contains the paragraph

   If the 301 status code is received in response to a request other
   than GET or HEAD, the user agent MUST NOT automatically redirect the
   request unless it can be confirmed by the user, since this might
   change the conditions under which the request was issued.

which fails to consider that there are many other request methods
that are safe to automatically redirect, and further that the user agent
is able to make that determination based on the request method semantics.
In particular, the OPTIONS method is always safe to automatically redirect.
Unfortunately, the paragraph was written long before there was OPTIONS,
and was never updated to reflect the extensibility of methods.  The
same problem paragraph is found in sections 10.3.3 and 10.3.8.

The above should be replaced with

   If the 301 status code is received in response to a request method
   that is known to be "safe", as defined in section 9.1.1, then the
   request MAY be automatically redirected by the user agent without
   confirmation.  Otherwise, the user agent MUST NOT automatically
   redirect the request unless it is confirmed by the user, since the
   new URI might change the conditions under which the request was issued.

along with similar changes for sections 10.3.3 and 10.3.8.
It would also be helpful for each of the method definition sections
to specifically define whether or not the method is safe.
OPTIONS, GET, and HEAD are all safe in RFC 2616.
HTTP extensions like WebDAV define additional safe methods.

This change does not impact interoperability.

Cheers,

Roy T. Fielding, Chief Scientist, eBuilt, Inc.
                 2652 McGaw Avenue
                 Irvine, CA 92614-5840  fax:+1.949.609.0001
                 (fielding@ebuilt.com)  <http://www.eBuilt.com>

                 Chairman, The Apache Software Foundation
                 (fielding@apache.org)  <http://www.apache.org/>
Received on Saturday, 3 March 2001 14:06:41 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:41 EDT