W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2012

Re: #238, was: #328: user Intervention on Redirects

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 7 Feb 2012 12:51:18 -0800
Message-ID: <CAJE5ia-iZN6j2R0BzcJ+HEj8eXXEvo+N0r45TzPN26WrShidTg@mail.gmail.com>
To: Julian Reschke <julian.reschke@gmx.de>
Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 7, 2012 at 12:15 PM, Julian Reschke <julian.reschke@gmx.de> wrote:
> On 2012-02-07 00:55, Mark Nottingham wrote:
>>
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238>
>
> (changed subject line accordingly)
>
>>> The redirect status codes define requirements for user intervention;
>>> e.g.,
>>>
>>> If the 301 status code is received in response to a request method that
>>> is known to be "safe", as defined in Section 7.1.1, then the request MAY be
>>> automatically redirected by the user agent without confirmation. Otherwise,
>>> the user agent MUST NOT automatically redirect the request unless it can be
>>> confirmed by the user, since this might change the conditions under which
>>> the request was issued.
>>>
>>> However, this requirement is not often implemented by UAs.
>>
>>
>>
>> I'm now wondering if we should consider removing this requirement
>> altogether.
>>
>> The way it's structured now, the requirement associates intent with a URI,
>> when in reality intent is associated with the UI; the user is blissfully
>> unaware of the actual resource being manipulated.
>>
>> More to the point, there's little to no difference between an HTML form
>> POSTing somewhere and getting redirected somewhere else to the form just
>> using the second URI in the first place.
>>
>> I think this requirement is well-intentioned, but the threat model of the
>> Web has changed significantly since it was written.
>>
>> Thoughts?
>> ...
>
>
> Here's a proposal that removes the normative requirement, refactors the text
> to say things only once, but keeps a warning.
>
> In the 3xx Introduction, say:
>
>   Note that for methods not known to be "safe", as defined in
>   Section 6.1.1, automatic redirection needs to done with care, since
>   the redirect might change the conditions under which the request was
>   issued.
>
> In the description for 301 remove:
>
>   If the 301 status code is received in response to a request method
>   that is known to be "safe", as defined in Section 6.1.1, then the
>   request MAY be automatically redirected by the user agent without
>   confirmation.  Otherwise, the user agent MUST NOT automatically
>   redirect the request unless it can be confirmed by the user, since
>   this might change the conditions under which the request was issued.
>
> dito for 302 and 307.
>
> Proposed patch:
> <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/238/238.diff>

+1

Adam
Received on Tuesday, 7 February 2012 20:55:37 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:55 GMT