Re: redirect model for non-GET requests

Anne van Kesteren wrote:
> 
> On Mon, 04 Feb 2008 10:27:03 +0100, Jonas Sicking <jonas@sicking.cc> wrote:
>> If I do a POST using AC to a http://example.com/form.cgi and the 
>> initial OPTIONS request forwards to http://example.org/pub/form.cgi, 
>> does that mean that the POST goes directly to the second URI?
> 
> Yes, you proposed this (although I pointed out later that this was 
> already in the draft, though unclear):
> 
>   http://lists.w3.org/Archives/Public/public-webapi/2007Jul/0042.html

Ugh, what a silly idea ;)

I'm honestly not sure what the right thing to do here is. My gut feeling 
is that the POST should go to the original URI and then any redirects 
would need to follow the exact same path as the original OPTIONS redirects.

This way the only difference between the cross-site POST and a same-site 
POST will be the initial OPTIONS requests.

>> That seems like a bad idea to me since it makes cross-site requests 
>> behave very different from same-site requests, rather than just 
>> differing in authorization.
> 
> I don't see what the issue is. They already behave very differently as 
> they require a preflight OPTIONS request. Comments like these do worry 
> me a bit about the state of your implementation though. :-(

I decided not to implement redirects for non-GET methods at all in the 
initial implementation. It might be the state we will ship in since I 
think redirects is an edge case and the lack of support for redirect 
won't hinder adoption of the rest of the spec.

/ Jonas

Received on Monday, 4 February 2008 23:32:01 UTC