W3C home > Mailing lists > Public > public-html@w3.org > January 2012

Re: Meta element to prevent resending post data

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Fri, 27 Jan 2012 09:00:21 -0800
Message-ID: <CAAWBYDDfaeVUtP8_AXte5ke7uoWmSV4W1GWiMOCxq6tJMcWEXw@mail.gmail.com>
To: "Marat Tanalin | tanalin.com" <mtanalin@yandex.ru>
Cc: public-html@w3.org
On Thu, Jan 26, 2012 at 2:05 PM, Marat Tanalin | tanalin.com
<mtanalin@yandex.ru> wrote:
> Hello.
>
> Currently, if a page is result of POST request, trying to refresh it in browser do result in browser message confirming that user really wants to refresh page that will result in resending form data that is already sent. If user do not want to resend data, it ends up with complete _impossibility_ to refresh page without manual focusing location bar and pressing Enter key.
>
> So it would be nice to have a META element to prevent resending POST form-data when user refreshes page that is result of POST request.
>
> A possible syntax of such META element:
>
>    <meta http-equiv="x-http-post-options" content="noresend" />
>
> When page has such META element, pressing "Refresh" button of browser (or keyboard key like F5) would result in just _reloading_ page as if the page was regular page loaded by regular GET request.
>
> Of course, it's usually good practice to just make server-side redirect via "Location" HTTP header (self-redirect in particular) after POST request, however unfortunately this is _not always technically possible_. Sending arbitrary HTTP headers is trivial task for modern script languages like PHP, but unfortunately is not an option at all for some self-made CMS written in compiled language like Delphi that a company has _anyway_ no resources to rework in, say, next 10 years.
>
> In such situations, the proposed META element would be quite useful to achieve same effect as server-side self-redirect provides: prevent accidental resending form data when user actually just wants to refresh page as if it was regular GET-requested page and wasn't result of POST request. There could be also server response header of same name ("x-http-post-options: noresend") for same purpose.

If you can get the same page back with a GET request, then it
shouldn't have been a POST in the first place.  That's an abuse of
request semantics, usually just so the page maintains a "pretty URL".

Now that we have the history API, this is unnecessary - the author can
use a normal GET form, then have the destination page rewrite its url
to remove the parameters.

~TJ
Received on Friday, 27 January 2012 17:01:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:43 GMT