W3C home > Mailing lists > Public > public-webapi@w3.org > September 2006

Re: XMLHTTPRequest: HTTP 303 response must be visible to caller

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Fri, 8 Sep 2006 21:36:12 -0700
Message-Id: <78514A32-DDB2-453C-8580-C4D2300F83A6@yahoo-inc.com>
Cc: public-webapi@w3.org, Tim Berners-Lee <timbl@w3.org>, tabulator@csail.mit.edu
To: "L. David Baron" <dbaron@dbaron.org>


RFC2616 on the Location header:

> For 3xx responses, the location SHOULD indicate the
>    server's preferred URI for automatic redirection to the resource.

...which implies that automatic redirection is sanctioned (except  
where prohibited for particular status codes).

I like the idea of a property specified by XHR; while DOM 3 does it  
as well, that isn't widely supported AFAIK. Maybe specifically refer  
to the DOM 3 properties and encourage XHR developers to implement them?

Another approach would be checking the Content-Location header, but  
that requires work on the server side.

On 2006/09/08, at 4:20 PM, L. David Baron wrote:

> On Friday 2006-09-08 18:17 -0400, Tim Berners-Lee wrote:
>> However, the XMLHTTPRequest document [2] says:
>> "If the response is an HTTP redirect (status code 301, 302, 303 or
>> 307), then it must be transparently followed (unless it violates
>> security, infinite loop precautions or the scheme isn't supported)."
>> This is a bug. The 303 response should be returned to the software,
>> so that it can interrogate the Location header, and pick up
>> information from the associated document should it wish to.  An
>> alternative would be for the history of what happened to provided in
>> linked status blocks after a single call.
> This proposal makes one use case much more complex in order to make
> another one possible.  I don't think this complexity is necessary.  If
> there were a way of determining whether one or more 303 redirects
> occurred on the way to the retrieval of the final response, would that
> be sufficient?
>> It is also, by the way, very useful to be able to get at the 301 and
>> 302 status details, particularly when many URIs redirect to the same
>> thing, which might already have been fetched.
> This performance optimization should be expected to be made by the  
> caching implementation underlying the XMLHttpRequest  
> implementation.  In
> most cases, this should be sufficient.  (When it's not, the user  
> may in
> many cases want to check the response against a previous retrieval of
> the same resource before assuming that the contents are the same,  
> given
> the complex caching rules for HTTP.)
> Transparent redirection with implementation caching seems far less
> likely to cause the consumer of XMLHttpRequest to accidentally ignore
> the rules on caching defined for the HTTP protocol.
> Furthermore, Web authors and Web server administrators expect  
> redirects
> to "work", i.e., be followed transparently.  An XMLHttpRequest
> implementation that did not follow redirects would be considered
> unambiguously broken.  Given the rationale for the creation of 303 and
> 307 redirects given in the HTTP specification, I think authors  
> would be
> quite surprised if 303 redirects were treated differently.
>> There is also a problem with relative URIs in the destination
>> document. They should be parsed relative to the redirected URI (for a
>> 302 Moved at , not the original URI, but the software knows nothing
>> about the redirection.  This must apply also to other redirections.
> It seems like the ideal solution for this would be a  
> "responseLocation"
> or "responseURI" property that gives the URI of the document contained
> in responseText/responseXML.  I think a significant number of  
> consumers
> of XMLHttpRequest could find such a property useful.
> While I was looking at the spec [2], I noticed that a number of things
> in it are ambiguous when redirects are involved.  In particular, I
> noticed that the status and statusText properties are not clearly
> defined (which status?), and it is not clear whether
> getAllResponseHeaders includes headers from all redirection steps
> (although it seems clear for getResponseHeader).
> -David
>> [2] http://www.w3.org/TR/XMLHttpRequest/#xmlhttprequest
> -- 
> L. David Baron                                <URL: http:// 
> dbaron.org/ >
>            Technical Lead, Layout & CSS, Mozilla Corporation

Mark Nottingham
Received on Saturday, 9 September 2006 04:36:39 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:21 UTC