What is the correct behavior expected of an HTTP POST => 302 redirect to GET?

http redirect http-status-codes
Joshua Ball picture Joshua Ball · Jul 12, 2013 · Viewed 21.5k times · Source

What is the correct behavior expected of a POST => 302 redirect to GET?

In chrome (and likely most every browser), after I POST (to a resource that wants me to redirect) and I receive a 302 redirect, the browser automatically issues a GET on the 302 location. This is even a well known pattern. But the way I read the spec, it seems to suggest this should not happen.

The HTTP spec says

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user, since this might change the conditions under which the request was issued.

And fiddler is showing: 

REQUEST 1: POST URLA
RESPONSE 1: 302 redirect to URLB
REQUEST 2: GET URLB

The section above seems to say that the browser should not make the GET request? What am I missing?

  1. Something earlier in the spec that makes this section irrelevant
  2. My understanding of automatically redirect is wrong (and the chrome browser that did the GET wasn't really automatically redirecting)
  3. My understanding of confirmed this as a user
  4. Something else?

Answer

abarnert picture abarnert · Jul 12, 2013

The very next line in the spec begins:

Note: RFC 1945 and RFC 2068 specify that the client is not allowed to change the method on the redirected request. However, most existing user agent implementations treat 302 as if it were a 303 response, performing a GET on the Location field-value regardless of the original request method. The status codes 303 and 307 have been added for servers that wish to make unambiguously clear which kind of reaction is expected of the client.

And immediately after that, it explains how a 303 should be handled, and it's exactly what you're seeing.

If you're asking why servers are still using 302 instead of 307, which all current browsers will handle correctly, it's because old browsers won't handle it. If you're wondering why browsers handle 302 as 303, it's because old servers expect it. There's really no way out of that loop, and it would probably be better for HTTP to just revert 302 to mean what it used to mean, and deprecate it (for non-GET/HEAD) in favor of 307.

Related questions

What is correct HTTP status code when redirecting to a login page?

When a user is not logged in and tries to access a page that requires login, what is the correct HTTP status code for a redirect to the login page? I am asking because none of the 3xx response codes …

Read More
Difference between HTTP redirect codes

The differences between the various HTTP 3XX redirect codes are not clear to me. Yes, I've read the spec, but there seems to be some discrepancy between the standard and actual practice here. The 301 redirect code seems clear enough: This …

Read More
HTTP statuscode to retry same request

Is there an HTTP status code to instruct a client to perform the same request again? I am facing a situation where the server has to "wait" for a lock to disappear when processing a request. But by the time …

Read More