W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] <form method="DELETE"> and 307 redirects

From: Adam Barth <whatwg@adambarth.com>
Date: Thu, 11 Feb 2010 22:06:23 -0800
Message-ID: <7789133a1002112206j5fd60289y22d2e67c9e97f2c2@mail.gmail.com>
On Thu, Feb 11, 2010 at 9:10 PM, Ian Hickson <ian at hixie.ch> wrote:
> On Fri, 4 Dec 2009, Adam Barth wrote:
>>
>> The spec lets sites submit forms with PUT or DELETE methods to their
>> origin server. ?What happens if the server responds with a 307 redirect
>> to a foreign origin? ?Based on my reading of the fetch algorithm, the
>> browser will issue a PUT or DELETE request (respectively) to the foreign
>> origin. ?It seems like we want to generate a network error instead.
>
> HTTP already says for 301, 302, and 307 redirects: "If the [...] status
> code is received in response to a request other than GET or HEAD, the user
> agent MUST NOT automatically redirect the request unless it can be
> confirmed by the user, since this might change the conditions under which
> the request was issued".
>
> Do user agents not implement what HTTP specifies here?

Neither Chrome nor IE show a dialog when 307 redirecting a POST.  In
any case, the user doesn't have any context for understanding what the
dialog would mean, let along making a security decision based on the
dialog.

Adam
Received on Thursday, 11 February 2010 22:06:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:55 UTC