- From: Boris Zbarsky <bzbarsky@MIT.EDU>
- Date: Fri, 12 Feb 2010 01:04:30 -0500
On 2/12/10 12:10 AM, Ian Hickson wrote:
> HTTP already says for 301, 302, and 307 redirects: "If the [...] status
> code is received in response to a request other than GET or HEAD, the user
> agent MUST NOT automatically redirect the request unless it can be
> confirmed by the user, since this might change the conditions under which
> the request was issued".
>
> Do user agents not implement what HTTP specifies here?
What Necko (and hence Gecko) implements is the following, as far as I
can tell:
1) A 301 or 302 response leads to a silent redirect performed via a
GET of the Location header.
2) A 307 response to a request that had a (possibly empty) request
body (this always includes the form POST case) puts up one of those
dialogs from hell. It's a prompt that asks: "This web page is
being redirected to a new location. Would you like to resend the
form data you have typed to the new location?" No indication of
what the new location is. The user is presented with an "OK"
button and a "Cancel" button. If the user selects the former, the
request is redirected. If the latter, the response-body of the 307
response is shown, I think, modulo some SSL stuff.
3) A 307 response to a request that does not have a request body (a
situation one can get into by passing null to XHR send(), I think),
is silently redirected to the new URI while preserving the request
method. Note that this is somewhat mitigated by the restrictions
on cross-origin XHR, if it can be reached via XHR at all.
-Boris
Received on Thursday, 11 February 2010 22:04:30 UTC