W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2010

Re: [XHR] Redirects

From: Darin Fisher <darin@chromium.org>
Date: Tue, 31 Aug 2010 13:51:19 -0700
Message-ID: <AANLkTimpzAXkU8EqDYv=tR1kJAOXSM-s-xQg1DNFHEFJ@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: WebApps WG <public-webapps@w3.org>, Joćo Eiras <joao.eiras@gmail.com>
On Tue, Aug 31, 2010 at 1:16 PM, Anne van Kesteren <annevk@opera.com> wrote:

> On Tue, 31 Aug 2010 19:04:08 +0200, Darin Fisher <darin@chromium.org>
> wrote:
>
>> So the idea is that you would have to manually create the redirect request
>> using a new XHR if you wanted to manually follow the redirect?
>>
>
> Yeah, or you could reset the existing object using open().
>
>
>
>  One risk with that is that it is easy to construct the redirect request
>> improperly.  There's the classic example of what happens when you issue a
>> POST request and it results in a redirect.  303 and 307 had to be invented
>> because some browsers implemented 302 incorrectly.
>>
>
> Yeah, though I think that the people that implement redirects manually have
> put some thought in the matter. Maybe that is naive, though on the other
> hand if people do it wrong it does not matter much either.
>
>
>
>  Maybe there should be a way to create a new XHR from the existing XHR that
>> is already configured to follow the redirect?  I'm not sure how to make this
>> less awkward...
>>
>
> If this is actually common and people start using this a lot and ask this
> question here that would be the point where we should start thinking about
> making this less awkward. For now libraries and developers with "lots of
> time" have all the hooks they need.
>
>
>
>

Hmm, that's a pretty good argument.

Another issue that concerns me is redirect loops.  The proposed API gives us
know way to know that the application is following a redirect chain, which
means that we have little way to know if the application is following an
endless redirect chain.  The classical example is a server that redirects
back to the same URL with a Set-Cookie header, expecting the next request to
have a corresponding Cookie header.  If the Cookie header is not added, then
the redirect is issued again.

Most browsers detect this after N iterations, and then give up.  Of course,
this situation only occurs if the user has disabled cookies in the User
Agent.  I worry that a case like this will almost never be tested by
application developers, and hence, users who like to disable some cookies
will be unable to use the internet.  (I realize that the internet is mostly
broken already if you disable cookies, but there are some variations of
cookie blocking that sort of work.)

A User Agent could try to implement a heuristic to catch certain flavors of
redirect chains, by observing the XHR requests made by an application.  But,
it seems like it would be fairly difficult to avoid false positives.

If instead, we had an API for auditing redirects (perhaps an "onredirect"
event), then we could let developers handle that event and call
preventDefault if they want to stop redirect processing.  Otherwise, the
redirect would be processed normally.  The result being that application
authors would be guided away from following redirects manually, and hence
they would avoid the problems I've described above.

-Darin
Received on Tuesday, 31 August 2010 20:51:50 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:40 GMT