Re: User confirmation and 307 redirects from Maciej Stachowiak on 2010-08-19 (ietf-http-wg@w3.org from July to September 2010)

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 19 Aug 2010 09:49:59 -0700
To: Adam Barth <ietf@adambarth.com>
Cc: httpbis <ietf-http-wg@w3.org>
Message-id: <FF3C7DAD-1B58-4AA3-873E-CAE4B1785DCC@apple.com>

+1

I gave this feedback some time ago, and while there was some discussion, there wasn't a clear decision on how to proceed.

Julian mentions that this requirement also applies to 301 to 302, and I think it should be removed for those status codes as well. However, in those cases, it is more of a theoretical problem, since in practice browsers convert 301 and 302 redirects to GET. The draft acknowledges this in notes but does not make clear whether it is a conforming behavior.

Regards,
Maciej

On Aug 18, 2010, at 2:27 PM, Adam Barth wrote:

> http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-11#section-8.3.8 says
> 
> [[
>   If the 307 status code is received in response to a request method
>   that is known to be "safe", as defined in Section 7.1.1, then the
>   request MAY be automatically redirected by the user agent without
>   confirmation.  Otherwise, the user agent MUST NOT automatically
>   redirect the request unless it can be confirmed by the user, since
>   this might change the conditions under which the request was issued.
> ]]
> 
> As has been pointed out by multiple folks on multiple occasions, this
> requirement should be removed for the following reasons:
> 
> 1) HTTP ought not to impose constraints on the user agent's user
> interface.  This requirement is not appropriate for all user agents,
> for example a GPS navigation unit in a car.
> 2) This requirement does not reflect reality.  A number of widely used
> user agents disregard this requirement.
> 3) This requirement is actively harmful to interoperability.  Web
> sites cannot reliably use 307 redirects because it triggers awful UI
> mandated by this requirement in some user agents.
> 
> The only counter rationale I've seen on this list is that the
> requirement is actually meaningless under a theory of
> "pre-confirmation."  If the requirement is meaningless, that means we
> should remove it as well.
> 
> Kindly remove the requirement.
> 
> Adam

Received on Thursday, 19 August 2010 17:56:06 UTC