Re: User confirmation and 307 redirects

On Wed, 18 Aug 2010, Adam Barth wrote:

> says
> [[
>   If the 307 status code is received in response to a request method
>   that is known to be "safe", as defined in Section 7.1.1, then the
>   request MAY be automatically redirected by the user agent without
>   confirmation.  Otherwise, the user agent MUST NOT automatically
>   redirect the request unless it can be confirmed by the user, since
>   this might change the conditions under which the request was issued.
> ]]
> As has been pointed out by multiple folks on multiple occasions, this
> requirement should be removed for the following reasons:
> 1) HTTP ought not to impose constraints on the user agent's user
> interface.  This requirement is not appropriate for all user agents,
> for example a GPS navigation unit in a car.
> 2) This requirement does not reflect reality.  A number of widely used
> user agents disregard this requirement.
> 3) This requirement is actively harmful to interoperability.  Web
> sites cannot reliably use 307 redirects because it triggers awful UI
> mandated by this requirement in some user agents.

Only for non-safe operations, and it was already the case for 301 in 2616. 
Also "harmful to interoperability" is an untestable claim.

> The only counter rationale I've seen on this list is that the
> requirement is actually meaningless under a theory of
> "pre-confirmation."  If the requirement is meaningless, that means we
> should remove it as well.

I don't see this requirement as an UI requirement, but more as a semantic 
one. The user has to be aware of what is going on in the case of a 
redirected non-safe method.
So maybe we need a rewording of the requirement to make it clear that it 
is not an UI one.

Baroula que barouleras, au tiéu toujou t'entourneras.


Received on Thursday, 19 August 2010 09:54:18 UTC