Issue #906 resolved

Firefox displays a popup on redirect

created an issue

A form is posted to a save() controller method, which then redirects somewhere else. Why would Firefox display a popup saying "This web page is being redirected to a new location. Would you like to resend the form data you have typed to the new location?"

The problem appears to be in

Calling HTTPRedirect() with status=303 fixes this. Remember, this is a POST request which then redirects to a GET request, and I don't want that popup!

Nando Florestan

Comments (10)

  1. Anonymous

    There is no way for CherryPy to know that the target of your redirection will be a GET request as opposed to another POST.

    If you are dependent on the use of a HTTP 303 code, then you should be explicitly specifying them.

    As of now I don't see what's wrong with that changeset.

  2. Anonymous

    On POST requests, a client shouldn't redirect without asking beforehand as per the spec. There is nothing wrong with CP and I'm closing this defect unless you can show us there is an actual error per se.

  3. Christian Wyglendowski

    No, I think the user who opened the ticket is right. The previous behavior was inline with the HTTP spec and it is a very common pattern. The developer should not have to specify the HTTP status code for this common activity. Here is an excerpt from the RFC 2616:

    10.3.4 303 See Other
    The response to the request can be found under a different URI and SHOULD be retrieved using a
    GET method on that resource. This method exists primarily to allow the output of a 
    POST-activated script to redirect the user agent to a selected resource.

    That being said, the original description doesn't need to lay personal blame for spec interpretation. I've corrected that.

  4. Robert Brewer

    The use cases for 303 and 307 are '''both''' very common. Use 303 when you want the client to GET the response at a different URI (N.B. '''not''' a GET on the same URI--a different one). Use 307 when you want the client to re-issue the same request, regardless of HTTP method, to a different URI.

    The crux of this issue is not which one to use when, but which should be the default. There is an obvious mistake in my changeset: I left the code at 303 for GET/HEAD, which isn't proper since the spec itself says 303 is primarily for an initial POST.

    I'd be happy to revert the change. However, there are some cases that do have enough information to prefer 307. My use case for the change was the trailing slash Tool--you don't want a POST on `/abc` to redirect to a GET on `/abc/`.

  5. Christian Wyglendowski

    That explanation and use case makes sense. Why the 307 and not a 301 though? The 301 seems more accurate, especially in the trailing slash use case. Also, that use case should be handled within that tool, don't you think?

    I'm not very keen on changing the default behavior of HTTPRedirect at this point. Speaking selfishly, I'd like to see us migrate our applications to CherryPy 3.1.x (or maybe 3.2.x ;-)) at some point and I wouldn't want to go through the source code and change all of the places that we redirect to some other resource as a result of a POST.

  6. Log in to comment