Re: #160: Redirects and non-GET methods from Julian Reschke on 2011-08-06 (ietf-http-wg@w3.org from July to September 2011)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sat, 06 Aug 2011 12:48:35 +0200
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <4E3D1C03.9090600@gmx.de>

On 2011-07-17 13:16, Mark Nottingham wrote:
> <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160>
>
> I've just tested the latest iterations of the browsers, with the following results:
>
> • Safari/533.21.1 - all 301, 302, 307 rewritten to GET; 303 methods are preserved
> • Firefox/5.0.1 - all 301, 302 rewritten to GET; 303 and 307 methods are preserved
> • Chrome/14.0.814.0 - all 301, 302 rewritten to GET; 303 and 307 methods are preserved
> • Opera/11.50 - all 301, 302 rewritten to GET; 303 methods are preserved; 307 tests crash the browser
> • MSIE/9.0 (latest) - all 301, 302 methods preserved except POST (changed to GET); all 303, 307 methods are preserved
>
> So, many browsers rewrite many methods to GET on 301 and 302. whereas most browsers preserve methods on 303 and 307*.
>
> We *could* codify this practice. However, as Julian notes in the bug, the fact that IE doesn't rewrite anything except POST is an existence proof (and a fairly large one) that it's workable to not rewrite the method on non-POST methods.
>
> So, I'm inclined to agree that we could address this by changing 301 an 302 to note that POST is rewritten to GET; it's a smaller change, although it would require changes in more browsers.
>
> Thoughts? Especially from browser people?
> ...

In the meantime, it might make sense to look at the test cases at 
<http://www.mnot.net/javascript/xmlhttprequest/> and tune them so that 
they are a bit closer to what our plan is.

Observations:

- the tests apparently fail to handle HEAD properly, as they used the 
response body to echo the method name; maybe this can be fixed by moving 
it into a custom response header

- the tests report a failure if POST->301/302 is rewritten to GET; it 
might be useful to note that this may become compliant in HTTPbis 
(that's our intent, right?)

- I'm a bit unsure about what we should say about HEAD->303. IE's XHR 
apparently rewrites to GET, but the result probably doesn't make a 
difference for users of XHR. However, do we need to clarify the text 
about 303?

Best regards, Julian

Received on Saturday, 6 August 2011 10:49:18 UTC