- From: Adam Barth <w3c@adambarth.com>
- Date: Tue, 7 Feb 2012 12:51:18 -0800
- To: Julian Reschke <julian.reschke@gmx.de>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Feb 7, 2012 at 12:15 PM, Julian Reschke <julian.reschke@gmx.de> wrote: > On 2012-02-07 00:55, Mark Nottingham wrote: >> >> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238> > > (changed subject line accordingly) > >>> The redirect status codes define requirements for user intervention; >>> e.g., >>> >>> If the 301 status code is received in response to a request method that >>> is known to be "safe", as defined in Section 7.1.1, then the request MAY be >>> automatically redirected by the user agent without confirmation. Otherwise, >>> the user agent MUST NOT automatically redirect the request unless it can be >>> confirmed by the user, since this might change the conditions under which >>> the request was issued. >>> >>> However, this requirement is not often implemented by UAs. >> >> >> >> I'm now wondering if we should consider removing this requirement >> altogether. >> >> The way it's structured now, the requirement associates intent with a URI, >> when in reality intent is associated with the UI; the user is blissfully >> unaware of the actual resource being manipulated. >> >> More to the point, there's little to no difference between an HTML form >> POSTing somewhere and getting redirected somewhere else to the form just >> using the second URI in the first place. >> >> I think this requirement is well-intentioned, but the threat model of the >> Web has changed significantly since it was written. >> >> Thoughts? >> ... > > > Here's a proposal that removes the normative requirement, refactors the text > to say things only once, but keeps a warning. > > In the 3xx Introduction, say: > > Note that for methods not known to be "safe", as defined in > Section 6.1.1, automatic redirection needs to done with care, since > the redirect might change the conditions under which the request was > issued. > > In the description for 301 remove: > > If the 301 status code is received in response to a request method > that is known to be "safe", as defined in Section 6.1.1, then the > request MAY be automatically redirected by the user agent without > confirmation. Otherwise, the user agent MUST NOT automatically > redirect the request unless it can be confirmed by the user, since > this might change the conditions under which the request was issued. > > dito for 302 and 307. > > Proposed patch: > <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/238/238.diff> +1 Adam
Received on Tuesday, 7 February 2012 20:55:37 UTC