Re: HTTP 301 responses for POST from Mark Nottingham on 2009-04-16 (ietf-http-wg@w3.org from April to June 2009)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 16 Apr 2009 10:57:39 +1000
To: yngve@opera.com
Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <24678B37-453C-4BA2-A18E-E7846C920EB6@mnot.net>

Now #160;
   http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160

On 20/12/2008, at 2:18 AM, Yngve Nysaeter Pettersen wrote:

>
> Hello all,
>
> The 301 and 302 sections of HTTPbis seems to make the implicit, or  
> perhaps not clearly stated, assumption that the new request shall  
> use the same method as the request triggering the response.
>
> draft-ietf-httpbis-p2-semantics-05.txt sec. 9.3.2 for the 301  
> response says in part:
>
>      Note: When automatically redirecting a POST request after
>      receiving a 301 status code, some existing HTTP/1.0 user agents
>      will erroneously change it into a GET request.
>
> I may have mentioned this before, but just in case I didn't: With  
> respect to WWW-clients (a.k.a Web Browsers) there are to the best of  
> my knowledge no web browser that performs a POST->POST redirect for  
> 301 or 302, whether or not they are HTTP 1.0 or HTTP 1.1 clients,  
> they all change the method to GET.
>
> The only browser that I am aware that ever did support it, with a  
> dialog query, has been Opera. However, due to
>
>  1)usabilty issues: Users had problems understanding what the  
> question was about, and did not have the information needed to make  
> an informed decision
>
>  2) interoperability issues: I can't recall ever encountering a  
> production web server that required such a redirected POST to be  
> using POST. OTOH, I have encountered many web servers that returned  
> 4XX or 5XX error codes when getting a POST query when they expected  
> a GET.
>
> it became necessary to remove the dialog handling for 301 and 302.  
> It is now only used for 307 responses.
>
> At least among web browsers it is now a de facto standard that 301  
> and 302 results in GET requests for all queries, at least the GET  
> and POST methods.
>
> This difference between the language in the specification and the de  
> facto standard is causing many queries from our customers when their  
> testsuites fail on this point.
>
> I think it would be an idea to see if the language for web clients  
> can be made closer to the actual situation, and perhaps state that  
> other (non-web) HTTP applications need to specifically define their  
> handling of non-safe methods and redirects.
>
> -- 
> Sincerely,
> Yngve N. Pettersen
> ********************************************************************
> Senior Developer		     Email: yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
>


--
Mark Nottingham     http://www.mnot.net/

Received on Thursday, 16 April 2009 00:58:21 UTC