Re: #238, was: #328: user Intervention on Redirects from Mark Nottingham on 2012-02-07 (ietf-http-wg@w3.org from January to March 2012)

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 8 Feb 2012 07:47:19 +1100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1289915F-E735-47A9-8F0E-395D8BA8C16F@mnot.net>

+1

On 08/02/2012, at 7:15 AM, Julian Reschke wrote:

> On 2012-02-07 00:55, Mark Nottingham wrote:
>> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238>
> 
> (changed subject line accordingly)
> 
>>> The redirect status codes define requirements for user intervention; e.g.,
>>> 
>>> If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
>>> 
>>> However, this requirement is not often implemented by UAs.
>> 
>> 
>> I'm now wondering if we should consider removing this requirement altogether.
>> 
>> The way it's structured now, the requirement associates intent with a URI, when in reality intent is associated with the UI; the user is blissfully unaware of the actual resource being manipulated.
>> 
>> More to the point, there's little to no difference between an HTML form POSTing somewhere and getting redirected somewhere else to the form just using the second URI in the first place.
>> 
>> I think this requirement is well-intentioned, but the threat model of the Web has changed significantly since it was written.
>> 
>> Thoughts?
>> ...
> 
> Here's a proposal that removes the normative requirement, refactors the text to say things only once, but keeps a warning.
> 
> In the 3xx Introduction, say:
> 
>   Note that for methods not known to be "safe", as defined in
>   Section 6.1.1, automatic redirection needs to done with care, since
>   the redirect might change the conditions under which the request was
>   issued.
> 
> In the description for 301 remove:
> 
>   If the 301 status code is received in response to a request method
>   that is known to be "safe", as defined in Section 6.1.1, then the
>   request MAY be automatically redirected by the user agent without
>   confirmation.  Otherwise, the user agent MUST NOT automatically
>   redirect the request unless it can be confirmed by the user, since
>   this might change the conditions under which the request was issued.
> 
> dito for 302 and 307.
> 
> Proposed patch: <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/238/238.diff>
> 
> Best regards, Julian

--
Mark Nottingham   http://www.mnot.net/

Received on Tuesday, 7 February 2012 20:56:52 UTC