- From: Adam Barth <whatwg@adambarth.com>
- Date: Thu, 11 Feb 2010 22:06:23 -0800
On Thu, Feb 11, 2010 at 9:10 PM, Ian Hickson <ian at hixie.ch> wrote: > On Fri, 4 Dec 2009, Adam Barth wrote: >> >> The spec lets sites submit forms with PUT or DELETE methods to their >> origin server. ?What happens if the server responds with a 307 redirect >> to a foreign origin? ?Based on my reading of the fetch algorithm, the >> browser will issue a PUT or DELETE request (respectively) to the foreign >> origin. ?It seems like we want to generate a network error instead. > > HTTP already says for 301, 302, and 307 redirects: "If the [...] status > code is received in response to a request other than GET or HEAD, the user > agent MUST NOT automatically redirect the request unless it can be > confirmed by the user, since this might change the conditions under which > the request was issued". > > Do user agents not implement what HTTP specifies here? Neither Chrome nor IE show a dialog when 307 redirecting a POST. In any case, the user doesn't have any context for understanding what the dialog would mean, let along making a security decision based on the dialog. Adam
Received on Thursday, 11 February 2010 22:06:23 UTC