#328: user Intervention on Redirects

<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238>

> The redirect status codes define requirements for user intervention; e.g.,
> 
> If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.
> 
> However, this requirement is not often implemented by UAs.


I'm now wondering if we should consider removing this requirement altogether.

The way it's structured now, the requirement associates intent with a URI, when in reality intent is associated with the UI; the user is blissfully unaware of the actual resource being manipulated.

More to the point, there's little to no difference between an HTML form POSTing somewhere and getting redirected somewhere else to the form just using the second URI in the first place.

I think this requirement is well-intentioned, but the threat model of the Web has changed significantly since it was written.

Thoughts?


--
Mark Nottingham   http://www.mnot.net/

Received on Tuesday, 7 February 2012 00:00:57 UTC