Browse files

Add note about using 303 See Other for XHR requests other than GET/POST

IE since version 6 and recently Chrome and Firefox have started following
302 redirects from XHR requests other than GET/POST using the original request
method. This can lead to DELETE requests being redirected amongst other things.

Although it doesn't directly affect the Rails framework since it doesn't return
a 302 redirect to any non-GET/POST request a note has been added to raise
awareness of the issue. Some references:

Original article from @technoweenie:

Hacker News discussion of the article:

WebKit bug report:

Firefox bug report and changeset:

Chrome bug report:

HTTPbis bug report and changeset:

Roy T. Fielding's history of the issue:

Automated browser tests for the issue:

Fixes #4144
  • Loading branch information...
1 parent cb9f7f4 commit 24f143789a8989f3bccde14ff28067de25cafd87 @pixeltrix pixeltrix committed Apr 30, 2012
Showing with 10 additions and 0 deletions.
  1. +10 −0 actionpack/lib/action_controller/metal/redirecting.rb
@@ -45,6 +45,16 @@ module Redirecting
# integer, or a symbol representing the downcased, underscored and symbolized description.
# Note that the status code must be a 3xx HTTP code, or redirection will not occur.
+ # If you are using XHR requests other than GET or POST and redirecting after the
+ # request then some browsers will follow the redirect using the original request
+ # method. This may lead to undesirable behavior such as a double DELETE. To work
+ # around this you can return a <tt>303 See Other</tt> status code which will be
+ # followed using a GET request.
+ #
+ # Examples:
+ # redirect_to posts_url, :status => :see_other
+ # redirect_to :action => 'index', :status => 303
+ #
# It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
# +alert+ and +notice+ as well as a general purpose +flash+ bucket.

0 comments on commit 24f1437

Please sign in to comment.