November 30, 2007 at 11:41AM Firefox, Opera, and possibly others treat 301 and 302 redirects incorrectly.
In HTTP 1.1 (and HTTP 1.0, it seems), 301 (Permanent Redirect) and 302 (Temporary Redirect) redirects specify that the page you’re requesting has moved either permanently or temporarily. If you’re POSTing and you get such a redirect, you’re meant to send the POST request to the page given in the provided Location header instead.
However, both Firefox and Opera (and possibly other browsers) incorrectly treat the redirect the same way as a 303 (See Other) redirect. A 303 redirect informs the user agent that the request has been processed successfully, and the result is to be found at the URL given in the Location header.
Now, there are fairly good reasons for the broken behaviour in response to the 302 redirect; older code used 302 redirects as 303 redirects are used today. However, the behaviour with 301 redirects is completely broken.
I’ve submitted bug reports for Firefox and Opera, though Opera don’t provide URLs for them. The Opera bug report code is 300955.
I’ve put a demonstration of the bug online. The destination page should state that the request method for 301 and 302 redirects is POST in a conformant user agent. A non-conformant one will state that it’s GET.
Update: Konqueror (and by implication, Safari, I’d guess) exhibits the very same bug. Anybody want to try it in IE?
Update: Thanks to Phil Ringnalda for getting back to me on the bug. I’d missed an older report on the same topic, so it turned out mine was a duplicate. It’s something of a pity that this’ll never be fixed, at least for permanent redirects, but I guess that’s one form of brokenness we’re just going to have to put up with.
1 On November 30, 2007 at 18:33, Phil Ringnalda wrote:
IE (7, but the behavior would be the same back through the dawn of time), and Netscape Navigator (4.x, but again... dawn of time), and probably Mosaic, do the same thing.
It would be interesting to know how often users of a browser which doesn’t change the method on redirects report broken websites, and how horribly broken those sites are, but I suspect that if there is any browser which doesn’t, it would be Amaya, and I don’t think it actually has users.
2 On December 12, 2007 at 12:45, Daniel Mackey wrote:
Hi Keith,
If you go to Talideon.com a message displays saying you will be redirected to your blog. This is in an infinite loop and the page keeps refreshing with the same message. People need to manually click the link. Just a heads up...
3 On December 14, 2007 at 15:45, Keith wrote:
Thanks for that, Dan. The problem happens if you access it via
http://www.talideon.com/. I don’t include thewww., so I didn’t notice it. I’ll see about fixing it.4 On December 14, 2007 at 15:49, Keith wrote:
Ok, fixed. But it turns out the actual reason was that CF expects a space between the value after the
Locationheader and the colon separating it from the value, so...Will be fine, but...
Will cause problems, even though it shouldn’t.
5 On December 14, 2007 at 15:50, Keith wrote:
FYI, the crappy redirect is in there to get my OpenID working. I have to find a better way for getting that to work...