Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #1923 (closed enhancement: wontfix)

Opened 3 years ago

Last modified 1 year ago

`redirect_to` should issue a 303 status if redirecting away from a POST.

Reported by: markwubben+ror@gmail.com Assigned to: David
Priority: normal Milestone: 1.x
Component: ActionPack Version: 0.13.1
Severity: normal Keywords: http redirection browsers post get
Cc: rtomayko@gmail.com

Description (Last modified by david)

Currently when you call redirect_to it will issue a 302 Found status The user agent will then, according to the spec, request the new location using POST. This means that if you refresh this new location the browser will ask for verification (because it thinks you are resending data to the server).

Instead, a 303 See Other status should be issued, allowing the user agent to do a GET on the new location.

Change History

08/08/05 14:20:34 changed by nzkoz

  • priority changed from normal to low.
  • severity changed from normal to minor.

Well, no browsers seem to actually issue the POST request, so there's not really a problem here.

Is 303 supported by all the major browsers?

08/08/05 15:13:04 changed by markwubben+ror@gmail.com

Firefox issues the POST request. 303 is specified in HTTP/1.1, so I'd say virtually all browsers in use today support 303.

08/16/05 03:59:07 changed by nzkoz

  • milestone set to 1.x.

Would you care to provide a patch for this? 302 and 303 isn't particularly well enforced by browsers so I wouldn't expect this would become a priority.

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

08/17/05 07:44:54 changed by markwubben+ror@gmail.com

Michael, I'll give it a shot.

09/08/05 11:53:23 changed by david

I'm unable to recreate that Firefox should ask for verification after redirect on a POST. Which version are you seeing this on? 1.0.4 here.

09/09/05 07:53:49 changed by markwubben+ror@gmail.com

I just tried it with a recent Instiki-AR build in Firefox 1.0.6 on Tiger, and it didn't do that. However when I posted this report I was running on Ubuntu and it did request verification (normal scaffolded action). The specific application isn't running anymore though, so I can't easily reproduce this.

09/16/05 14:44:36 changed by anonymous

  • cc set to rtomayko@gmail.com.

11/06/05 08:06:37 changed by david

  • type changed from defect to enhancement.
  • description changed.

08/17/06 16:40:01 changed by dave.fuller@softwyre.com

  • priority changed from low to normal.
  • type set to defect.
  • severity changed from minor to normal.
  • milestone changed from 1.1 to 1.x.

It appears to me that IE6.0 is issuing a POST request. I get all the normal messages from the browser that one would expect in this case. There is solid discussion of this topic at http://www.megginson.com/blogs/quoderat/archives/2006/05/31/firefox-vs-prg/ with a test at http://www.megginson.com/test/prg/prg-test.html, although to test in IE, you must save the page to your harddrive and replace the form action url with http://www.megginson.com/test/prg/do-prg-test.php and change the <button>submit</button> line with <input type="submit"/>. Once you do this, you will see that IE issues no posts and no complaints when you back up to the form. This is b/c he is using 303. With 302 as rails is currently using, I get all sorts of complaints when I back up to my form.

08/18/06 20:23:02 changed by kastberg@tkwsping.nl

  • cc changed from Unknown to rtomayko@gmail.com.
  • keywords changed from Unknown to http redirection browsers post get.
  • type changed from defect to enhancement.
  • summary changed from Unknown to `redirect_to` should issue a 303 status if redirecting away from a POST..

09/02/06 21:13:14 changed by bitsweat

  • type changed from defect to enhancement.

01/19/07 07:32:06 changed by jarkko

I've been testing for a while now and I can't reproduce this either on IE 6.0.26 or IE SP2. Both issue a GET after a form post redirect regardless of the response code:

303

Processing SessionsController#create (for 64.151.100.71 at 2007-01-18 23:19:29) [POST]
  Session ID: 39baba7b246d121cf7cc2a8a094b0f32
  Parameters: {...}
Redirected to http://***/
Completed in 0.00954 (104 reqs/sec) | DB: 0.00411 (43%) | 303 See Other [https://***/sessions]


Processing EntriesController#index (for 64.151.100.71 at 2007-01-18 23:19:29) [GET]
  Session ID: 39baba7b246d121cf7cc2a8a094b0f32
  Parameters: {"action"=>"index", "controller"=>"entries"}
Rendering  within layouts/application
Rendering entries/index
Completed in 0.97636 (1 reqs/sec) | Rendering: 0.20272 (20%) | DB: 0.55385 (56%) | 200 OK [https://***/]

302

Processing FlagsController#create (for 10.10.15.1 at 2007-01-18 23:20:19) [POST]
  Session ID: 39baba7b246d121cf7cc2a8a094b0f32
  Parameters: {"commit"=>"Flag It", "return_to"=>"/entries/59", "action"=>"create", "flag"=>{"type_id"=>"8
", "reason"=>""}, "flaggable_id"=>"59", "controller"=>"flags", "flaggable_type"=>"Entry"}
Redirected to http://***/entries/59
Completed in 0.07108 (14 reqs/sec) | DB: 0.06113 (86%) | 302 Found [http://***/flags]


Processing EntriesController#show (for 10.10.15.1 at 2007-01-18 23:20:20) [GET]
  Session ID: 39baba7b246d121cf7cc2a8a094b0f32
  Parameters: {"action"=>"show", "id"=>"59", "controller"=>"entries"}
Rendering  within layouts/application
Rendering entries/show
Completed in 0.14381 (6 reqs/sec) | Rendering: 0.03949 (27%) | DB: 0.09513 (66%) | 200 OK [http://***/entries/59]

05/29/07 18:27:06 changed by josh

  • status changed from new to closed.
  • resolution set to wontfix.

Closing stale ticket.