W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2010

Re: User confirmation and 307 redirects

From: Yves Lafon <ylafon@w3.org>
Date: Thu, 19 Aug 2010 05:54:15 -0400 (EDT)
To: Adam Barth <ietf@adambarth.com>
cc: httpbis <ietf-http-wg@w3.org>, Maciej Stachowiak <mjs@apple.com>
Message-ID: <alpine.DEB.1.10.1008190550280.487@wnl.j3.bet>
On Wed, 18 Aug 2010, Adam Barth wrote:

> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-11#section-8.3.8 says
> [[
>   If the 307 status code is received in response to a request method
>   that is known to be "safe", as defined in Section 7.1.1, then the
>   request MAY be automatically redirected by the user agent without
>   confirmation.  Otherwise, the user agent MUST NOT automatically
>   redirect the request unless it can be confirmed by the user, since
>   this might change the conditions under which the request was issued.
> ]]
> As has been pointed out by multiple folks on multiple occasions, this
> requirement should be removed for the following reasons:
> 1) HTTP ought not to impose constraints on the user agent's user
> interface.  This requirement is not appropriate for all user agents,
> for example a GPS navigation unit in a car.
> 2) This requirement does not reflect reality.  A number of widely used
> user agents disregard this requirement.
> 3) This requirement is actively harmful to interoperability.  Web
> sites cannot reliably use 307 redirects because it triggers awful UI
> mandated by this requirement in some user agents.

Only for non-safe operations, and it was already the case for 301 in 2616. 
Also "harmful to interoperability" is an untestable claim.

> The only counter rationale I've seen on this list is that the
> requirement is actually meaningless under a theory of
> "pre-confirmation."  If the requirement is meaningless, that means we
> should remove it as well.

I don't see this requirement as an UI requirement, but more as a semantic 
one. The user has to be aware of what is going on in the case of a 
redirected non-safe method.
So maybe we need a rewording of the requirement to make it clear that it 
is not an UI one.

Baroula que barouleras, au tiéu toujou t'entourneras.

Received on Thursday, 19 August 2010 09:54:18 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 2 February 2023 18:43:22 UTC