W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2009

Re: [cors] Redirects

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 22 Apr 2009 17:06:41 -0700
Message-ID: <63df84f0904221706p48c267c7t7745127b408e3afe@mail.gmail.com>
To: Anne van Kesteren <annevk@opera.com>
Cc: WebApps WG <public-webapps@w3.org>
Arg, so sorry for taking forever on this.

So there are a few design decisions we need to make:

Should we treat a redirect of a preflight request, as redirecting the
actual request? The answer to this may depend on which type of
redirect it is.

What does a 303 redirect of a preflight request even mean. According
to the letter of the spec you should make a GET request, but it seems
weird to use GET request to result in a response that contains
descriptions of capabilities.

What level of redirects do we want to support:
1. Fail on all redirects.
2. Fail all redirects when doing preflighted requests. Both for
preflight and actual request alike.
3. Only allow redirects of the request if the redirected request is
'safe' (i.e. would not require a preflight).
4. Allow all redirects of the actual request.

For the first two questions I think we should try to consult the HTTP
spec. As I understand HTTP, the following things are true:

* A 303 should be considered redirecting the response.
* A 307 should be considered redirecting the request and the response.
* UAs should treat 302 as either a 303 or 307. Ideally which one
should be decided by the user, but many UAs simply choose one or the
* UAs are allowed to treat 301 as 302.

What I don't know is:

A) How is 301 different from 302. For example can the UA cache the
fact that a redirect is occuring in addition to treating it as a 302?
B) If you get a 303 response from a OPTIONS request, are you allowed
to make an OPTIONS request to the redirected URI. Would it make sense
C) If the answer is 'no' to the question above, if you make an OPTIONS
request to uri X, which 303 redirects to uri Y. Should the UA then
make a GET request to uri Y and assume that the response to that
describes the capabilities of Y? In other words, does a 303 response
to an OPTIONS request basically mean "The resource at Y describes my
D) If you get a 307 response from an OPTIONS request to a URI, does it
make sense to assume that a 307 would be returned for other methods,
such as a POST, DELETE or XMYMETHOD request?

Without knowing the answers to these questions I am uncertain what the
correct design is for redirects of preflighted requests.

I think we can choose whichever level of redirect support we want in
this version of the spec, without limiting ourselves for future
versions. So my gut instinct right now if we just want to get the spec
out the door is to go with level 2 as that is the simplest to spec
while still keeping support for redirects for the most common cases.

If we want level 3 or 4 I really think we first need to answer the
questions A-D.

/ Jonas
Received on Thursday, 23 April 2009 00:07:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:12:53 UTC