W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2010

[whatwg] <form method="DELETE"> and 307 redirects

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 11 Feb 2010 22:39:18 -0800
Message-ID: <63df84f1002112239l3e3d3421w57fbbdf18e9e80d4@mail.gmail.com>
On Thu, Feb 11, 2010 at 10:06 PM, Adam Barth <whatwg at adambarth.com> wrote:
> On Thu, Feb 11, 2010 at 9:10 PM, Ian Hickson <ian at hixie.ch> wrote:
>> On Fri, 4 Dec 2009, Adam Barth wrote:
>>>
>>> The spec lets sites submit forms with PUT or DELETE methods to their
>>> origin server. ?What happens if the server responds with a 307 redirect
>>> to a foreign origin? ?Based on my reading of the fetch algorithm, the
>>> browser will issue a PUT or DELETE request (respectively) to the foreign
>>> origin. ?It seems like we want to generate a network error instead.
>>
>> HTTP already says for 301, 302, and 307 redirects: "If the [...] status
>> code is received in response to a request other than GET or HEAD, the user
>> agent MUST NOT automatically redirect the request unless it can be
>> confirmed by the user, since this might change the conditions under which
>> the request was issued".
>>
>> Do user agents not implement what HTTP specifies here?
>
> Neither Chrome nor IE show a dialog when 307 redirecting a POST. ?In
> any case, the user doesn't have any context for understanding what the
> dialog would mean, let along making a security decision based on the
> dialog.

Yeah, I think we should make the same change in firefox. I actually
created a pref a while back to control this behavior (in order to
allow suppressing the dialog during testing), so it would be a trivial
change to Firefox.

/ Jonas
Received on Thursday, 11 February 2010 22:39:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:21 UTC