Redirection MUST NOTs


In the descriptions of each of the 301, 302, and 307 response codes of
RFC 2616, the following text can be found;

"If the [code] status code is received in response to a request other
 than GET or HEAD, the user agent MUST NOT automatically redirect the
 request unless it can be confirmed by the user, since this might
 change the conditions under which the request was issued."

I believe that the conformance level should be "SHOULD NOT" rather than

Though I'm not familiar with the history of this requirement, it seems
self-explanatory regarding its intent; it's there as a warning, not as
a conformance statement.  And while it's certainly the best approach
in the generic case (as "SHOULD NOT" would indicate), the opportunity
for a private agreement to exist between client and server should be
recognized IMO.

In my case, the nature of the type of resource - as indicated in the
messages via link metadata - to which a POST is submitted is such that
there is no change of condition under which the request was issued.  The
agent has committed to submitting the data across a trust boundary with
the expectation that a redirect is being performed in lieu of the server
acting as an intermediary for the request.


Mark Baker.   Ottawa, Ontario, CANADA.

Received on Monday, 3 November 2003 15:44:40 UTC