W3C home > Mailing lists > Public > xml-dist-app@w3.org > November 2005

Re: Concern about status code 303 and resolution to Rec33

From: Mark Baker <distobj@acm.org>
Date: Wed, 16 Nov 2005 22:30:23 -0500
Message-ID: <c70bc85d0511161930w317a781fs5e08f9e1bef7a9c6@mail.gmail.com>
To: Yves Lafon <ylafon@w3.org>
Cc: "noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>, xml-dist-app@w3.org

Thanks for bringing that to my attention Yves; it apparently evaded my radar.

On 11/16/05, Yves Lafon <ylafon@w3.org> wrote:
> On Tue, 15 Nov 2005, Mark Baker wrote:
> >> I can see why it's OK per the HTTP recommendation.
> >>
> >
> > I don't think it is, as I mentioned before;
> > http://lists.w3.org/Archives/Public/xml-dist-app/2005Oct/0006.html
> >
> And I replied at
> http://lists.w3.org/Archives/Public/xml-dist-app/2005Oct/0010.html :)
> Are you happy with the amended text?
> Thanks,

In that message you wrote (sorry for the formatting);

>> Keep in mind that all agents are "user agents", in that they act on
>> behalf of some human, somewhere.  Whether that relationship is >up-close
>Are you sure that they act on behalf of humans? always? In the case of
>automatic selection of a Web Service to accomplish one task, it's more
>difficult to go back to the human originator of the request.

Yes, it's more difficult, but outside of Skynet[1] (8-), all software
operates under the authority of a human, so I think it's required.

 [1] http://en.wikipedia.org/wiki/Skynet

>I agree that redirecting unsafe HTTP methods requires confirmation,
><sublimnal>use GET when you can!</subliminal> and that the >confirmation
>can't happen directly at the SOAP binding level.
>However, if you have a description of a service that explicitely says >"you
>might get redirected to this set of URIs, and it is OK", then, as you
>already trusted the service definition to craft your SOAP message, you >can
>also assume that automatic redirection is at the same safeness level.

Unfortunately it's not the role of the service to declare that it can
be trusted 8-); that's something only the human operating the client
can decide, because they - not the service doing the redirection -
have to take responsibility for the implications of the unsafe
message....  hence the need to verify with them.

>So let's amend the proposal for the 301/302/307 redirections:
>Status Code:
>Reason phrase:
>The requested resource has moved.
>In the case of unsafe HTTP method, like POST or PUT, explicit >confirmation
>is required before proceeding as follow.

I assume you mean "is required before resending the message to the new URI"?

>In the case of a safe method, like GET, or if the redirection has been
>approved, the HTTP request SHOULD be retried using the URI carried >in the
>associated Location header field as the new value for the
>http://www.w3.org/2003/05/soap/mep/ImmediateDestination property.

Well, it does seem like it's just repeating what's in the HTTP
specification.  But at least it's consistent, AFAICT.  So if the
group's ok with doing that, then it's fine by me too.


Received on Thursday, 17 November 2005 03:30:36 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 22:01:28 UTC