- From: Jonas Sicking <jonas@sicking.cc>
- Date: Thu, 11 Feb 2010 22:39:18 -0800
On Thu, Feb 11, 2010 at 10:06 PM, Adam Barth <whatwg at adambarth.com> wrote: > On Thu, Feb 11, 2010 at 9:10 PM, Ian Hickson <ian at hixie.ch> wrote: >> On Fri, 4 Dec 2009, Adam Barth wrote: >>> >>> The spec lets sites submit forms with PUT or DELETE methods to their >>> origin server. ?What happens if the server responds with a 307 redirect >>> to a foreign origin? ?Based on my reading of the fetch algorithm, the >>> browser will issue a PUT or DELETE request (respectively) to the foreign >>> origin. ?It seems like we want to generate a network error instead. >> >> HTTP already says for 301, 302, and 307 redirects: "If the [...] status >> code is received in response to a request other than GET or HEAD, the user >> agent MUST NOT automatically redirect the request unless it can be >> confirmed by the user, since this might change the conditions under which >> the request was issued". >> >> Do user agents not implement what HTTP specifies here? > > Neither Chrome nor IE show a dialog when 307 redirecting a POST. ?In > any case, the user doesn't have any context for understanding what the > dialog would mean, let along making a security decision based on the > dialog. Yeah, I think we should make the same change in firefox. I actually created a pref a while back to control this behavior (in order to allow suppressing the dialog during testing), so it would be a trivial change to Firefox. / Jonas
Received on Thursday, 11 February 2010 22:39:18 UTC