net/http: use 308 instead of 301 in Server to preserve POST payload in redirects #50243
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?darwin/amd64
go env
OutputWhat did you do?
Here is go server code:
Here is curl client which issues POST request with json payload to api
At this point our server correctly identify POST payload and print it out on stdout.
Now, let's change URI on a client side (we will include double slashes) to force HTTP request redirect:
Here, see last line, our server correctly identify POST request but not its payload, i.e. due to redirect to GET and then back to POST we lost our payload in HTTP request flow.
There are two possible redirects which server can use, the 301 StatusMovedPermanently and 308 StatusPermanentRedirect. The former, according to RFC7231 will change original POST request to GET during redirect, while latter (according to RFC7238) will not allow to change original POST request. Based on which status is used by Go http/server.go the behavior on a client side can change.
So far, Go net/http/serve.go uses 301 StatusMovedPermanently in different places, see:
I suggest to change it to 308 StatusPermanentRedirect to preserve original HTTP request from the client.
What did you expect to see?
If we change StatusMovedPermanently to StatusPermanentRedirect in net/http/server.go code, then the client will properly follow the redirect and its payload will not be lost. After I changed that in net/http/server.go and recompiled/restarted my server code I see now that my client correctly follows the redirect and its payload is received by the server:
see last line here, the server correctly shows POST method and HTTP payload.
What did you see instead?
If we use 301 StatusMovedPermanently the clients POST payload will be lost on a server, while with 308 StatusPermanentRedirect it does not.
The text was updated successfully, but these errors were encountered: