8957 – comments about HTTP requirements on redirects

This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 8957 - comments about HTTP requirements on redirects

Summary: comments about HTTP requirements on redirects

Status:	RESOLVED WORKSFORME

Alias:	None

Product:	HTML WG
Classification:	Unclassified
Component:	pre-LC1 HTML5 spec (editor: Ian Hickson) (show other bugs)
Version:	unspecified
Hardware:	PC Windows NT

Importance:	P2 normal
Target Milestone:	---
Assignee:	Ian 'Hixie' Hickson
QA Contact:	HTML WG Bugzilla archive list

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2010-02-12 10:25 UTC by Julian Reschke
Modified:	2010-10-04 14:47 UTC (History)
CC List:	4 users (show)

See Also:

Attachments

Description Julian Reschke 2010-02-12 10:25:02 UTC

"2.6 Fetching resources":

"Note: The HTTP specification requires that 301, 302, and 307 redirects, when applied to methods other than GET or HEAD, not be followed without user confirmation."

This is misleading; this is a known and confirmed bug in RFC 2616. The restriction is not on GET/HEAD, but on safe methods.

Comment 1 Julian Reschke 2010-02-12 10:47:30 UTC

Maciej Stachowiak points out that we did not fix this everywhere (http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0170.html), the introduction to 3xx still says:

"The action required MAY be carried out by the user agent without interaction with the user if and only if the method used in the second request is GET or HEAD."

Comment 2 Julian Reschke 2010-02-12 10:49:27 UTC

(In reply to comment #1)
> Maciej Stachowiak points out that we did not fix this everywhere
> (http://lists.w3.org/Archives/Public/ietf-http-wg/2010JanMar/0170.html), the
> introduction to 3xx still says:
> 
> "The action required MAY be carried out by the user agent without interaction
> with the user if and only if the method used in the second request is GET or
> HEAD."

See also http://trac.tools.ietf.org/wg/httpbis/trac/ticket/10#comment:5

Comment 3 Ian 'Hixie' Hickson 2010-02-17 22:53:10 UTC

EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are satisfied with this response, please change the state of this bug to CLOSED. If you have additional information and would like the editor to reconsider, please reopen this bug. If you would like to escalate the issue to the full HTML Working Group, please add the TrackerRequest keyword to this bug, and suggest title and text for the tracker issue; or you may create a tracker issue yourself, if you are able to do so. For more details, see this document:
   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Accepted
Change Description: no spec change
Rationale: This seems to have been fixed already.

It's likely that this will change again (in a way that violates HTTP, if HTTP isn't fixed) to say that no UI is necessary for any redirects but that certain redirects just get blocked (e.g. cross-site DELETE or PUT from a form submission).