- From: Julian Reschke <julian.reschke@gmx.de>
- Date: Tue, 07 Feb 2012 21:15:41 +0100
- To: Mark Nottingham <mnot@mnot.net>
- CC: HTTP Working Group <ietf-http-wg@w3.org>
On 2012-02-07 00:55, Mark Nottingham wrote: > <http://trac.tools.ietf.org/wg/httpbis/trac/ticket/238> (changed subject line accordingly) >> The redirect status codes define requirements for user intervention; e.g., >> >> If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 7.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. >> >> However, this requirement is not often implemented by UAs. > > > I'm now wondering if we should consider removing this requirement altogether. > > The way it's structured now, the requirement associates intent with a URI, when in reality intent is associated with the UI; the user is blissfully unaware of the actual resource being manipulated. > > More to the point, there's little to no difference between an HTML form POSTing somewhere and getting redirected somewhere else to the form just using the second URI in the first place. > > I think this requirement is well-intentioned, but the threat model of the Web has changed significantly since it was written. > > Thoughts? > ... Here's a proposal that removes the normative requirement, refactors the text to say things only once, but keeps a warning. In the 3xx Introduction, say: Note that for methods not known to be "safe", as defined in Section 6.1.1, automatic redirection needs to done with care, since the redirect might change the conditions under which the request was issued. In the description for 301 remove: If the 301 status code is received in response to a request method that is known to be "safe", as defined in Section 6.1.1, then the request MAY be automatically redirected by the user agent without confirmation. Otherwise, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued. dito for 302 and 307. Proposed patch: <http://trac.tools.ietf.org/wg/httpbis/trac/attachment/ticket/238/238.diff> Best regards, Julian
Received on Tuesday, 7 February 2012 20:19:05 UTC