[whatwg] <form method="DELETE"> and 307 redirects

[Boris Zbarsky]

On 2/12/10 12:10 AM, Ian Hickson wrote:
> HTTP already says for 301, 302, and 307 redirects: "If the [...] status
> code is received in response to a request other than GET or HEAD, the user
> agent MUST NOT automatically redirect the request unless it can be
> confirmed by the user, since this might change the conditions under which
> the request was issued".
>
> Do user agents not implement what HTTP specifies here?

What Necko (and hence Gecko) implements is the following, as far as I 
can tell:

1)  A 301 or 302 response leads to a silent redirect performed via a
     GET of the Location header.
2)  A 307 response to a request that had a (possibly empty) request
     body (this always includes the form POST case) puts up one of those
     dialogs from hell.  It's a prompt that asks: "This web page is
     being redirected to a new location. Would you like to resend the
     form data you have typed to the new location?"  No indication of
     what the new location is.  The user is presented with an "OK"
     button and a "Cancel" button.  If the user selects the former, the
     request is redirected.  If the latter, the response-body of the 307
     response is shown, I think, modulo some SSL stuff.
3)  A 307 response to a request that does not have a request body (a
     situation one can get into by passing null to XHR send(), I think),
     is silently redirected to the new URI while preserving the request
     method.  Note that this is somewhat mitigated by the restrictions
     on cross-origin XHR, if it can be reached via XHR at all.

-Boris