W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #160: Redirects and non-GET methods

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 31 Aug 2011 16:30:50 +0200
Message-ID: <4E5E459A.9090302@gmx.de>
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2011-08-31 10:17, Julian Reschke wrote:
> On 2011-08-31 08:15, Mark Nottingham wrote:
>>
>> On 31/08/2011, at 4:12 PM, Julian Reschke wrote:
>>
>>> "The action required MAY be carried out by the user agent without
>>> interaction with the user if and only if the method used in the
>>> second request is known to be "safe", as defined in Section 6.1.1." ...
>>
>> Right. The problem is that when you combine that requirement with the
>> proposed text, it doesn't make a lot of sense, because there is no
>> "second request' for a 304 response...
>
> Indeed, but that's a problem with the old text as well.
>
> Let's do a minimal fix, so that we can treat issue #238 as separate
> problem...:
>
> "If the required action involves a subsequent HTTP request, it MAY be
> carried out by the user agent without interaction with the user if and
> only if the method used in the second request is known to be "safe", as
> defined in Section 6.1.1."
>
> Best regards, Julian

I did some more work, adding a note explaining the history of 
301/302/303/307 (removing the text from the individual descriptions), 
and add text allowing the rewrite of POST->GET for 301/302 (this is what 
issue 160 is about).

With this Section 7.3 would become:

7.3.  Redirection 3xx

    This class of status code indicates that further action needs to be
    taken by the user agent in order to fulfill the request.  If the
    required action involves a subsequent HTTP request, it MAY be carried
    out by the user agent without interaction with the user if and only
    if the method used in the second request is known to be "safe", as
    defined in Section 6.1.1.

    There are several types of redirects:

    1.  Redirects of the request to another URI, either temporarily or
        permanently.  The new URI is specified in the Location header
        field.  In this specification, the status codes 301 (Moved
        Permanently), 302 (Found), and 307 (Temporary Redirect) fall
        under this category.

    2.  Redirection to a new location that represents an indirect
        response to the request, such as the result of a POST operation
        to be retrieved with a subsequent GET request.  This is status
        code 303 (See Other).

    3.  Redirection offering a choice of matching resources for use by
        agent-driven content negotiation (Section 5.2 of [Part3]).  This
        is status code 300 (Multiple Choices).

    4.  Other kinds of redirection, such as to a cached result (status
        code 304 (Not Modified)).

       Note: In HTTP/1.0, only the status codes 301 (Moved Permanently)
       and 302 (Found) were defined for the first type of redirect, and
       the second type did not exist at all ([RFC1945], Section 9.3).
       However it turned out that web forms using POST expected redirects
       to change the operation for the subsequent request to retrieval
       (GET).  To address this use case, HTTP/1.1 introduced the second
       type of redirect with the status code 303 (See Other) ([RFC2068],
       Section 10.3.4).  As user agents did not change their behavior due
       to backwards compatibility reasons, the first revision of HTTP/1.1
       added yet another status code, 307 (Temporary Redirect), for which
       the backwards compatibility problems did not apply ([RFC2616],
       Section 10.3.8).  Over 10 years later, most user agents still do
       method rewriting for status codes 301 and 302, therefore this
       specification make that behavior compliant in case the original
       request was POST.

    Clients SHOULD detect and intervene in cyclical redirections (i.e.,
    "infinite" redirection loops).

       Note: An earlier version of this specification recommended a
       maximum of five redirections ([RFC2068], Section 10.3).  Content
       developers need to be aware that some clients might implement such
       a fixed limitation.

7.3.1.  300 Multiple Choices

    The target resource has more than one representation, each with its
    own specific location, and agent-driven negotiation information
    (Section 5 of [Part3]) is being provided so that the user (or user
    agent) can select a preferred representation by redirecting its
    request to that location.

    Unless it was a HEAD request, the response SHOULD include a
    representation containing a list of representation metadata and
    location(s) from which the user or user agent can choose the one most
    appropriate.  The data format is specified by the media type given in
    the Content-Type header field.  Depending upon the format and the
    capabilities of the user agent, selection of the most appropriate
    choice MAY be performed automatically.  However, this specification
    does not define any standard for such automatic selection.

    If the server has a preferred choice of representation, it SHOULD
    include the specific URI for that representation in the Location
    field; user agents MAY use the Location field value for automatic
    redirection.

    Caches MAY use a heuristic (see Section 2.3.1.1 of [Part6]) to
    determine freshness for 300 responses.

7.3.2.  301 Moved Permanently

    The target resource has been assigned a new permanent URI and any
    future references to this resource SHOULD use one of the returned
    URIs.  Clients with link editing capabilities ought to automatically
    re-link references to the effective request URI to one or more of the
    new references returned by the server, where possible.

    Caches MAY use a heuristic (see Section 2.3.1.1 of [Part6]) to
    determine freshness for 301 responses.

    The new permanent URI SHOULD be given by the Location field in the
    response.  Unless the request method was HEAD, the representation of
    the response SHOULD contain a short hypertext note with a hyperlink
    to the new URI(s).

    If the 301 status code is received in response to a request method
    that is known to be "safe", as defined in Section 6.1.1, then the
    request MAY be automatically redirected by the user agent without
    confirmation.  Otherwise, the user agent MUST NOT automatically
    redirect the request unless it can be confirmed by the user, since
    this might change the conditions under which the request was issued.

       Note: For historic reasons, user agents MAY change the request
       method from POST to GET for the subsequent request.  If this
       behavior is undesired, status code 307 (Temporary Redirect) can be
       used instead.

7.3.3.  302 Found

    The target resource resides temporarily under a different URI.  Since
    the redirection might be altered on occasion, the client SHOULD
    continue to use the effective request URI for future requests.

    The temporary URI SHOULD be given by the Location field in the
    response.  Unless the request method was HEAD, the representation of
    the response SHOULD contain a short hypertext note with a hyperlink
    to the new URI(s).

    If the 302 status code is received in response to a request method
    that is known to be "safe", as defined in Section 6.1.1, then the
    request MAY be automatically redirected by the user agent without
    confirmation.  Otherwise, the user agent MUST NOT automatically
    redirect the request unless it can be confirmed by the user, since
    this might change the conditions under which the request was issued.

       Note: For historic reasons, user agents MAY change the request
       method from POST to GET for the subsequent request.  If this
       behavior is undesired, status code 307 (Temporary Redirect) can be
       used instead. [[issue312: but see
       <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/312>]]


   (....remainder unchanged)

See <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160>; feedback 
appreciated.

Best regards, Julian

PS: and yes, there are more open issues regarding redirects; this change 
is for issue 160 only.
Received on Wednesday, 31 August 2011 14:31:38 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:47 GMT