Re: User confirmation and 307 redirects [#238]

Thanks Mark.  I looked in the issue tracker before sending my mail,
but I didn't find the ticket (I think because I was looking for the
keyword 307).

Adam


On Thu, Aug 19, 2010 at 6:15 PM, Mark Nottingham <mnot@mnot.net> wrote:
> Thanks for reminding us of this, Adam. When you brought it up in Maastricht, we created:
>  http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238
>
> Cheers,
>
>
> On 19/08/2010, at 7:27 AM, Adam Barth wrote:
>
>> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-11#section-8.3.8 says
>>
>> [[
>>   If the 307 status code is received in response to a request method
>>   that is known to be "safe", as defined in Section 7.1.1, then the
>>   request MAY be automatically redirected by the user agent without
>>   confirmation.  Otherwise, the user agent MUST NOT automatically
>>   redirect the request unless it can be confirmed by the user, since
>>   this might change the conditions under which the request was issued.
>> ]]
>>
>> As has been pointed out by multiple folks on multiple occasions, this
>> requirement should be removed for the following reasons:
>>
>> 1) HTTP ought not to impose constraints on the user agent's user
>> interface.  This requirement is not appropriate for all user agents,
>> for example a GPS navigation unit in a car.
>> 2) This requirement does not reflect reality.  A number of widely used
>> user agents disregard this requirement.
>> 3) This requirement is actively harmful to interoperability.  Web
>> sites cannot reliably use 307 redirects because it triggers awful UI
>> mandated by this requirement in some user agents.
>>
>> The only counter rationale I've seen on this list is that the
>> requirement is actually meaningless under a theory of
>> "pre-confirmation."  If the requirement is meaningless, that means we
>> should remove it as well.
>>
>> Kindly remove the requirement.
>>
>> Adam
>>
>
>
> --
> Mark Nottingham     http://www.mnot.net/
>
>

Received on Friday, 20 August 2010 01:19:15 UTC