Should Content-Type header be stripped when redirecting from POST to GET? #609
Comments
|
I guess we should do this for 301/302 as well when we change the method to GET there? If someone is willing to write tests I'm happy to file all the browser bugs (if any) and change the specification. It seems a little weird, but since we modify the request anyway we might as well do this too. Should we remove other |
|
cc @mnot |
annevk
added
needs tests
|
Yeah, for 303 it's truely a different request, so it doesn't make sense to talk about the old request body. For 301 and 302 where you change the method, I think the same argument applies; it doesn't make sense to talk about a request body that isn't there. |
|
@mnot thanks, but we already drop the body. The question is what should happen with |
|
Yep; There are cases when there are headers that reference a missing body, but I don't think this is one of them; they're mostly around responses that refer to things in caches or the state of the resource after a change. |
|
So should we drop all headers that start with |
|
@mnot ping. |
|
I just closed XHR issue 192 (whatwg/xhr#192) of this, but was wondering if the inconsistency I found there is related to this. Browsers are currently passing the "301 POST with string and explicit Content-Type safelisted" XHR WPT in /xhr/send-redirect-to-cors.htm, but I don't believe they should if we're meant to strip these content- headers (since it's a 301 redirect that expects the body to be nulled, so it seems it should not be expecting the content-type to remain). |
|
Sorry, missed the notification.
Safest thing to do for now would probably be to enumerate the applicable headers to remove; since we're talking about a request, I think that's I'm assuming that things "below" fetch will be managed appropriately (e.g., That's not terribly satisfying. When the method is rewritten, I'd argue that the request is fundamentally new, and the application needs to decide whether the various headers it might have added are still applicable -- i.e., the redirect should NOT be automatic. But I recognise that allowing that causes other headaches. You'll probably want to enumerate the headers as a list in Fetch, so you can add to it; e.g., the proposed |
|
The web platform follows redirects (and includes any headers on them), by default. And exposing redirects is a security concern at this point (unless they provide some opt-in I'm okay to be read header we haven't defined yet). So yeah, redirects are just different on "web platform HTTP" I guess. |
annevk
added
good first issue
|
Okay, so what I think we should here is:
I'm happy to help out with the tests. |
|
@JuniorHsu wrote a PR for this in #977! |
annevk
removed
the
needs tests
and others
The reporter of Chrome issue https://bugs.chromium.org/p/chromium/issues/detail?id=765898 ("XHR preserves Content-Type on cross-origin 303 redirect") argues that when a 303 redirect causes a request to be redirected from POST to GET and the request body stripped, the Content-Type header should also be removed.
Chrome's current behaviour differs depending on the type of fetch that is being performed.
Before settling on a single behaviour in Chrome it would be nice to be definitive about what the standard behaviour is.
My understanding from reading the above Chrome issue is that the standard currently implies that the header is not removed, but removing it has better compatibility with servers.
The text was updated successfully, but these errors were encountered: