- From: Jonas Sicking <jonas@sicking.cc>
- Date: Wed, 22 Apr 2009 17:06:41 -0700
- To: Anne van Kesteren <annevk@opera.com>
- Cc: WebApps WG <public-webapps@w3.org>
Arg, so sorry for taking forever on this. So there are a few design decisions we need to make: Should we treat a redirect of a preflight request, as redirecting the actual request? The answer to this may depend on which type of redirect it is. What does a 303 redirect of a preflight request even mean. According to the letter of the spec you should make a GET request, but it seems weird to use GET request to result in a response that contains descriptions of capabilities. What level of redirects do we want to support: 1. Fail on all redirects. 2. Fail all redirects when doing preflighted requests. Both for preflight and actual request alike. 3. Only allow redirects of the request if the redirected request is 'safe' (i.e. would not require a preflight). 4. Allow all redirects of the actual request. For the first two questions I think we should try to consult the HTTP spec. As I understand HTTP, the following things are true: * A 303 should be considered redirecting the response. * A 307 should be considered redirecting the request and the response. * UAs should treat 302 as either a 303 or 307. Ideally which one should be decided by the user, but many UAs simply choose one or the other. * UAs are allowed to treat 301 as 302. What I don't know is: A) How is 301 different from 302. For example can the UA cache the fact that a redirect is occuring in addition to treating it as a 302? B) If you get a 303 response from a OPTIONS request, are you allowed to make an OPTIONS request to the redirected URI. Would it make sense to? C) If the answer is 'no' to the question above, if you make an OPTIONS request to uri X, which 303 redirects to uri Y. Should the UA then make a GET request to uri Y and assume that the response to that describes the capabilities of Y? In other words, does a 303 response to an OPTIONS request basically mean "The resource at Y describes my capabilities"? D) If you get a 307 response from an OPTIONS request to a URI, does it make sense to assume that a 307 would be returned for other methods, such as a POST, DELETE or XMYMETHOD request? Without knowing the answers to these questions I am uncertain what the correct design is for redirects of preflighted requests. I think we can choose whichever level of redirect support we want in this version of the spec, without limiting ourselves for future versions. So my gut instinct right now if we just want to get the spec out the door is to go with level 2 as that is the simplest to spec while still keeping support for redirects for the most common cases. If we want level 3 or 4 I really think we first need to answer the questions A-D. / Jonas
Received on Thursday, 23 April 2009 00:07:30 UTC