Re: User confirmation and 307 redirects from Julian Reschke on 2010-08-20 (ietf-http-wg@w3.org from July to September 2010)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 20 Aug 2010 11:18:57 +0200
To: Maciej Stachowiak <mjs@apple.com>
CC: Yves Lafon <ylafon@w3.org>, Adam Barth <ietf@adambarth.com>, httpbis <ietf-http-wg@w3.org>, Anne van Kesteren <annevk@opera.com>
Message-ID: <4C6E4881.9090504@gmx.de>

Hi,

FYI: I re-ran the test and sent an HTTP trace offlist.

Anne: regarding XHR -- a silent rewrite of the method is invisible to 
the caller and thus a bug. On the other hand, silently following the 
redirect for an unsafe method is still a problem, no matter how we 
phrase it in httpbis. The safest approach for XHR would be to allow 
implementations not to follow the redirect, and let the caller handle it 
instead.

Best regards, Julian

PS: apologies for claiming that the bug was reported two years ago; I 
mixed up IETF meetings. In fact it was reported *one* year ago.


On 19.08.2010 19:13, Maciej Stachowiak wrote:
>
> On Aug 19, 2010, at 9:55 AM, Julian Reschke wrote:
>
>> On 19.08.2010 18:45, Maciej Stachowiak wrote:
>>> ...
>>> Safari did have this bug a while ago, but it has been fixed for some time. We have tests in our regression test suite which verify that 307 redirects preserve the original method and request body.
>>> ...
>>
>> I just tried
>>
>>   <http://www.mnot.net/javascript/xmlhttprequest/>
>>
>> with Safari 5.0.1 on Win7, and it appears the problem is still there (maybe the code path is different for XMLHttpRequest?).
>
> I don't know of a reason XHR would behave differently.
>
> I tried one of our relevant tests myself and 307 redirects do preserve the method in our testing. I don't have a live copy that you can try but the following links show the sources to the test, and you can try it under your own Apache instance if you like:
>
> http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/loading/redirect-methods.html
> http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/loading/resources/redirect-methods-form.html
> http://trac.webkit.org/browser/trunk/LayoutTests/http/tests/loading/resources/redirect-methods-result.php
>
> I can try to investigate why mnot's test is giving different results. It would be helpful if I could see the source for the server-side parts of that test.
>
> Regards,
> Maciej
>
>
>

Received on Friday, 20 August 2010 09:19:42 UTC