Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: Redirect after POST behavior in LWP::UserAgent differs from Netscape's?

by extremely (Priest)
on Mar 16, 2001 at 01:24 UTC ( [id://64789]=note: print w/replies, xml ) Need Help??


in reply to Redirect after POST behavior in LWP::UserAgent differs from Netscape's?

don't know what the HTTP RFC says, but I guess it wouldn't matter, since Netscape's has to be the de-facto standard.

The RFC says that allowing a redirect to a POST is unsafe and that clients shouldn't do it. To do so is evil and guaranteed to act weird with all browsers. Some will convert to GET style and happily send your data to the error page you got because the CGI is broken. Others ask and some fail silently.

I think that you will find people rather unhappy with you offering to break compliance with a standard. Make sure the patch you offer is both optional and defaults to off.

Sarcasm about Netscape being "standard" removed before posting =) =)

--
$you = new YOU;
honk() if $you->love(perl)

Replies are listed 'Best First'.
Re: Re: Redirect after POST behavior in LWP::UserAgent differs from Netscape's?
by merlyn (Sage) on Mar 16, 2001 at 01:54 UTC
    Sarcasm about Netscape being "standard" removed before posting =) =)
    I've often said (and gotten away with) in my columns the phrase "non-standard browsers, such as Netscape and IE".

    -- Randal L. Schwartz, Perl hacker

Re: Redirect after POST behavior in LWP::UserAgent differs from Netscape's?
by gregorovius (Friar) on Mar 16, 2001 at 22:37 UTC
    But people use those undocumented quirks in browser implementation. I don't think we could ever banish reliance on such non-standard features, so maybe the best way to deal with them would be to incorporate them to the RFC in substitution of the original spec (I'm not talking specifically about this one quirk, which you say is unsafe; BTW, would you dwell into why it is so?).

    PerlMonks itself, doesn't it rely on Netscape's redirect after POST behavior?

    Also, consider that Perl is a good example of the implementation being also the standard, a system that has worked pretty well, IMHO.

      Well, the main "danger" is that you could be directed to a site other than the one you felt safe giving your data too. If you hit a post to Amazon's order form and the last page redirected you to Barnes and Noble's page for the purchase. Worse, if the error document of the site was "tweaked" and the CGI removed you might wind up pouring your data into someone else's logs.

      Also, please don't confuse redirect AFTER post with redirecting THE post. You shouldn't be conned into sending data to someone you didn't expect. Where the browser goes after the data is received properly is something else entirely.

      Read for yourself: RFC 2616 Sec 10.3.2 and and you might look at most of Sec 15 as well.

      --
      $you = new YOU;
      honk() if $you->love(perl)

        Thanks for your help!

        Also, please don't confuse redirect AFTER post with redirecting THE post

        I'm not confusing it, that's just the issue with the behavior of LWP::UserAgent. If you override its 'redirect_ok' method to return True on POST requests then it will post all your submitted data to the site the server requests redirection to. If seen this way then Netscape's behavior can be regarded as safer than LWP::UserAgent's, since it won't post all your data to the site down the line (it should be noted that UserAgent's default is to NOT follow POST redirects, though, but its documentation says nothing about the way it follows POST redirects and its being non-standard).

        We could conclude, then, that both LWP::UserAgent and Netscape are non-compliant, and that Netscape's behavior is safer.

Re: Re: Redirect after POST behavior in LWP::UserAgent differs from Netscape's?
by baku (Scribe) on Mar 16, 2001 at 22:53 UTC

    Newer versions of Netscape will warn you about being redirected with POST before allowing it to happen; I believe that the same goes for recent MSIE's.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://64789]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (4)
As of 2024-03-29 00:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found