W3C home > Mailing lists > Public > public-webapi@w3.org > September 2006

XMLHTTPRequest: HTTP 303 response must be visible to caller

From: Tim Berners-Lee <timbl@w3.org>
Date: Fri, 8 Sep 2006 18:17:10 -0400
Message-Id: <72C23CBB-C718-4A5E-AFC6-7FED206A0966@w3.org>
Cc: tabulator@csail.mit.edu
To: public-webapi@w3.org



The TAG resolved a [semantic] web architecture issue (HTTPRange-14)  
[1] about whether HTTP URIs without hashes could be used to refer to  
things which were not documents (information resources), as follows:

"- If an "http" resource responds to a GET request with a 2xx  
response, then the resource identified by that URI is an information  
resource;

- If an "http" resource responds to a GET request with a 303 (See  
Other) response, then the resource identified by that URI could be  
any resource;

- If an "http" resource responds to a GET request with a 4xx (error)  
response, then the nature of the resource is unknown."

The 303 response is used more or less to say, "The information  
resource at the Location URI is not the thing you were asking for,  
but is information about it".

It is really important that, as the things identified by the two URIs  
are different, that the client of an XMLHTTP request be able to  
distinguish what is returned from what was asked for.

However, the XMLHTTPRequest document [2] says:

"If the response is an HTTP redirect (status code 301, 302, 303 or  
307), then it must be transparently followed (unless it violates  
security, infinite loop precautions or the scheme isn't supported)."

This is a bug. The 303 response should be returned to the software,  
so that it can interrogate the Location header, and pick up  
information from the associated document should it wish to.  An  
alternative would be for the history of what happened to provided in  
linked status blocks after a single call.

This is a problem currently in for example the Tabulator RDF browser.

Example:  http://dig.csail.mit.edu/People/RRS is an identifier for  
Ralph Swick.

$ curl -I http://dig.csail.mit.edu/People/RRS
HTTP/1.1 303 See Other
Date: Wed, 06 Sep 2006 18:28:37 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16 mod_ssl/2.8.22  
OpenSSL/0.9.7e
Location: http://dig.csail.mit.edu/People/RRS/about
Content-Type: text/html; charset=iso-8859-1

http://dig.csail.mit.edu/People/RRS/about is an identifier for a  
document about Ralph Swick.


For example, The tabulator [3], when given the URI for Ralph himself,  
fetches it.
Because the redirection is followed transparently, it cannot  
distinguish between the person and the document.  It picks up the  
title of the document, and uses that as the name for Ralph. It lists  
my acquaintances as:

	acquaintance	Henry Story
			Dan Brickley
			About Ralph Swick
			Joseph Scharf
			etc...


It is also, by the way, very useful to be able to get at the 301 and  
302 status details, particularly when many URIs redirect to the same  
thing, which might already have been fetched.

There is also a problem with relative URIs in the destination  
document. They should be parsed relative to the redirected URI (for a  
302 Moved at , not the original URI, but the software knows nothing  
about the redirection.  This must apply also to other redirections.

Tim Berners-Lee
unofficially


[1] http://www.w3.org/2001/tag/issues.html#httpRange-14
[2] http://www.w3.org/TR/XMLHttpRequest/#xmlhttprequest
[3] http://dig.csail.mit.edu/2005/ajar/release/tabulator/0.7/tab.html
Received on Friday, 8 September 2006 22:17:15 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT