- From: Norman Walsh <ndw@nwalsh.com>
- Date: Thu, 16 Apr 2009 17:06:39 -0400
- To: public-xml-processing-model-comments@w3.org
- Message-ID: <m2hc0os3z4.fsf@nwalsh.com>
Florent Georges <fgeorges@fgeorges.org> writes:
> Besides the cookies (I've already told that point in a
> previous email) I wonder if an HTTP redirect should be followed
> automatically by the processor. For instance, some Google APIs
> use a 302 for authentification purpose in some cases. I don't
> say it is a good design, but I don't think this is a use case
> we could ignore.
The WG considered this at the 16 Apr 2009 telcon and concluded that
most users will expect redirects to be followed. Note, for example,
that many libraries, like java.net.url, automatically follow redirects
unless explicitly told not to.
We decided not to add a feature in 1.0 to disable this behavior. Although
it's clear that "one more boolean option" would do it, the p:http-request
step is already pretty complicated.
If there are good reasons not to follow redirects, we expect
implementors will support users by adding an extension attribute to
support that behavior. The WG can take this as input for some future
version.
In short, we're content with 7.1.10.3.1 as it stands in the current
editor's draft.
If you're not satisfied by this rationale, please let us know.
On a personal note, can you explain how the Google use of redirects
for authentication requires a pipeline to *not* follow the redirect in
order to access the API? I would have thought that was a case were
following the redirect (perhaps with cookies preserved) was
*necessary*.
Be seeing you,
norm
--
Norman Walsh <ndw@nwalsh.com> | We cannot put off living until we are
http://nwalsh.com/ | ready. The most salient characteristic
| of life is its coerciveness: it is
| always urgent, 'here and now' without
| any possible postponement. Life is
| fired at us point blank.--José Ortega Y
| Gasset
Received on Thursday, 16 April 2009 21:07:43 UTC