Loading ...
Sorry, an error occurred while loading the content.

RFC 2616 errata: overspecified restriction on automatic redirects

Expand Messages
  • Roy T. Fielding
    Sections 10.3.2 (301 Moved Permanently) contains the paragraph If the 301 status code is received in response to a request other than GET or HEAD, the user
    Message 1 of 1 , Mar 3, 2001
    • 0 Attachment
      Sections 10.3.2 (301 Moved Permanently) contains the paragraph

      If the 301 status code is received in response to a request other
      than GET or HEAD, the user agent MUST NOT automatically redirect the
      request unless it can be confirmed by the user, since this might
      change the conditions under which the request was issued.

      which fails to consider that there are many other request methods
      that are safe to automatically redirect, and further that the user agent
      is able to make that determination based on the request method semantics.
      In particular, the OPTIONS method is always safe to automatically redirect.
      Unfortunately, the paragraph was written long before there was OPTIONS,
      and was never updated to reflect the extensibility of methods. The
      same problem paragraph is found in sections 10.3.3 and 10.3.8.

      The above should be replaced with

      If the 301 status code is received in response to a request method
      that is known to be "safe", as defined in section 9.1.1, then the
      request MAY be automatically redirected by the user agent without
      confirmation. Otherwise, the user agent MUST NOT automatically
      redirect the request unless it is confirmed by the user, since the
      new URI might change the conditions under which the request was issued.

      along with similar changes for sections 10.3.3 and 10.3.8.
      It would also be helpful for each of the method definition sections
      to specifically define whether or not the method is safe.
      OPTIONS, GET, and HEAD are all safe in RFC 2616.
      HTTP extensions like WebDAV define additional safe methods.

      This change does not impact interoperability.

      Cheers,

      Roy T. Fielding, Chief Scientist, eBuilt, Inc.
      2652 McGaw Avenue
      Irvine, CA 92614-5840 fax:+1.949.609.0001
      (fielding@...) <http://www.eBuilt.com>

      Chairman, The Apache Software Foundation
      (fielding@...) <http://www.apache.org/>
    Your message has been successfully submitted and would be delivered to recipients shortly.