RFC 2616 errata: overspecified restriction on automatic redirects
- Sections 10.3.2 (301 Moved Permanently) contains the paragraph
If the 301 status code is received in response to a request other
than GET or HEAD, the user agent MUST NOT automatically redirect the
request unless it can be confirmed by the user, since this might
change the conditions under which the request was issued.
which fails to consider that there are many other request methods
that are safe to automatically redirect, and further that the user agent
is able to make that determination based on the request method semantics.
In particular, the OPTIONS method is always safe to automatically redirect.
Unfortunately, the paragraph was written long before there was OPTIONS,
and was never updated to reflect the extensibility of methods. The
same problem paragraph is found in sections 10.3.3 and 10.3.8.
The above should be replaced with
If the 301 status code is received in response to a request method
that is known to be "safe", as defined in section 9.1.1, then the
request MAY be automatically redirected by the user agent without
confirmation. Otherwise, the user agent MUST NOT automatically
redirect the request unless it is confirmed by the user, since the
new URI might change the conditions under which the request was issued.
along with similar changes for sections 10.3.3 and 10.3.8.
It would also be helpful for each of the method definition sections
to specifically define whether or not the method is safe.
OPTIONS, GET, and HEAD are all safe in RFC 2616.
HTTP extensions like WebDAV define additional safe methods.
This change does not impact interoperability.
Roy T. Fielding, Chief Scientist, eBuilt, Inc.
2652 McGaw Avenue
Irvine, CA 92614-5840 fax:+1.949.609.0001
Chairman, The Apache Software Foundation