Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not follow Location headers for POSTs #46

Open
mcollina opened this issue Jan 21, 2019 · 6 comments
Open

Do not follow Location headers for POSTs #46

mcollina opened this issue Jan 21, 2019 · 6 comments

Comments

@mcollina
Copy link
Collaborator

Currently simple-get will send a duplicated POST request if the response has a location header. I think this is not correct because POST requests are not idempotent. Moreover this is very common in REST applications, return a 204 status code with a Location header for a resource that should be accessed via GET (not POST).

I'm happy to file a PR if you agree that this should be fixed.

@bendrucker
Copy link
Collaborator

Shouldn't this only be happening with a 3xx status code?

https://github.com/feross/simple-get/blob/master/index.js#L48

While POSTs aren't idempotent, it should be safe to send another request when the server specifically says so. It's definitely reasonable/common to send back a Location header with the URL for the new resource in response to a POST. GitHub does it, for example.

@mcollina
Copy link
Collaborator Author

The problem is for 3xx status codes. According to MDN, https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303:

This response code is usually sent back as a result of PUT or POST. The method used to display this redirected page is always GET.

@bendrucker
Copy link
Collaborator

Seems like that's 303-specific. 301 and 302 are not recommending for GET/HEAD only, which I'd agree with. I can't say I've ever seen an API that sends back 3xx codes for writes. Do you have an example of where this is happening?

@mcollina
Copy link
Collaborator Author

The issue is an example of how unexpected it is to see a POST request repeated. I think following redirects should be a GET-only behavior.

POST requests are non-repeateable actions, as such they should not be repeated and the control should return to the user.

@bendrucker
Copy link
Collaborator

In a semantically correct API, yes, POSTs are not idempotent. But it's also pretty non-standard to send back a 301 for a POST. Someone could be relying on redirect triggering a second request.

Passing back control is a probably a good option for everyone since someone depending on a redirect can do so themselves.

I'm interested in how other user agents (browsers, other node http clients) handle this. I suspect browsers might have some form of cross origin restriction for following non GET/HEAD redirects if they follow them at all.

It is simple-get so I can get behind not redirecting writes for simplicity.

@mcollina
Copy link
Collaborator Author

https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections is a good resource that lists the behavior of all status code.

I think the simpler implementation is to not follow redirects for anything but HEAD or GET requests, as they are the only one guaranteed idempotent. We could enable some HTTP code to redirect on POST etc, as some are definitely safe.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants