Re: issue 325: When are Location's semantics triggered?, was: Protocols/APIs and redirects from Willy Tarreau on 2011-12-14 (ietf-http-wg@w3.org from October to December 2011)

From: Willy Tarreau <w@1wt.eu>
Date: Wed, 14 Dec 2011 07:43:24 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: Julian Reschke <julian.reschke@gmx.de>, Cameron Heavon-Jones <cmhjones@gmail.com>, "Roy T. Fielding" <fielding@gbiv.com>, Amos Jeffries <squid3@treenet.co.nz>, ietf-http-wg@w3.org
Message-ID: <20111214064324.GB29791@1wt.eu>

Hi Mark,

On Wed, Dec 14, 2011 at 03:47:46PM +1100, Mark Nottingham wrote:
> Do we have agreement that a 3xx + Location can / should trigger an automatic redirect (taking into account user notification -- a separate issue)?

While I have no strong feeling about it, I still think it's not the best
idea for the long term. While Julian suggests Safari's behaviour is good,
I'd see it differently, considering that it handles 3xx like 302 and
differently from 300 (in fact, only Chrome seems to be consistent between
3xx and 300 in Cameron's tests).

The only thing I don't like with saying that Location will be usable with
all 3xx is that it basically means that we won't create any new 3xx anymore,
because once we have the various basic redirects, we'll stop there. Without
suggesting an automatic redirect, we could imagine that later we'd add a
status with multiple Location headers and let the user pick one, or another
status indicating a unsafe/expensive locations which require user approval,
or any such thing. If we perform the automatic redirect, we'll refrain from
adding such codes, or we'll have to invent a new header.

For instance, imagine that all the user manual of your mobile phone is
supposed to be accessible from within it, with some pages cached inside
and other ones outside. You could have a small server in it which either
serves the cached pages when it has them (or redirects to their local
filesystem location using 301), or suggests a redirect to the external
site to fetch them. But you wouldn't necessarily want the user to
retrieve large amounts of data from the net without being aware of it,
since it can be very expensive depending where you are. A user-approved
redirect would perfectly make sense here.

Another example I'm facing very often is that developers working on
http+https applications generally need to know both the protocol used
and the host, while it's not always easy where the app is located.
Adding new extensions which would mean "redirect to same host using
https" or "same scheme with host xxx" or even "same host + port XYZ"
would sometimes help a lot. I'm not sure we'll be able to add them
after suggesting an automatic rule.

Once again, I have no strong feeling about it and I'm not a browser
developer, but I'm just trying to keep some rope for future additions.
If everyone else is OK with the automatic redirect on 3xx, I won't insist.

If I had the choice, I'd rather suggest either that a UA MAY automatically
redirect, or that it SHOULD redirect with user approval ; both options would
keep server implementers from inventing their own codes every day, without
blocking evolutions.

Best regards,
Willy

Received on Wednesday, 14 December 2011 06:47:42 UTC