Skip to content
This repository
Browse code

Add note about using 303 See Other for XHR requests other than GET/POST

IE since version 6 and recently Chrome and Firefox have started following
302 redirects from XHR requests other than GET/POST using the original request
method. This can lead to DELETE requests being redirected amongst other things.

Although it doesn't directly affect the Rails framework since it doesn't return
a 302 redirect to any non-GET/POST request a note has been added to raise
awareness of the issue. Some references:

Original article from @technoweenie:
http://techno-weenie.net/2011/8/19/ie9-deletes-stuff/

Hacker News discussion of the article:
http://news.ycombinator.com/item?id=2903493

WebKit bug report:
https://bugs.webkit.org/show_bug.cgi?id=46183

Firefox bug report and changeset:
https://bugzilla.mozilla.org/show_bug.cgi?id=598304
https://hg.mozilla.org/mozilla-central/rev/9525d7e2d20d

Chrome bug report:
http://code.google.com/p/chromium/issues/detail?id=56373

HTTPbis bug report and changeset:
http://trac.tools.ietf.org/wg/httpbis/trac/ticket/160
http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1428

Roy T. Fielding's history of the issue:
http://ftp.ics.uci.edu/pub/ietf/http/hypermail/1997q3/0611.html

Automated browser tests for the issue:
http://www.mnot.net/javascript/xmlhttprequest/

Fixes #4144
(cherry picked from commit 24f1437)
  • Loading branch information...
commit a72fe84d00724ccb6d60f82ce90e36a8c0f1c1ae 1 parent 8fec5d7
Andrew White pixeltrix authored

Showing 1 changed file with 10 additions and 0 deletions. Show diff stats Hide diff stats

  1. +10 0 actionpack/lib/action_controller/metal/redirecting.rb
10 actionpack/lib/action_controller/metal/redirecting.rb
@@ -45,6 +45,16 @@ module Redirecting
45 45 # integer, or a symbol representing the downcased, underscored and symbolized description.
46 46 # Note that the status code must be a 3xx HTTP code, or redirection will not occur.
47 47 #
  48 + # If you are using XHR requests other than GET or POST and redirecting after the
  49 + # request then some browsers will follow the redirect using the original request
  50 + # method. This may lead to undesirable behavior such as a double DELETE. To work
  51 + # around this you can return a <tt>303 See Other</tt> status code which will be
  52 + # followed using a GET request.
  53 + #
  54 + # Examples:
  55 + # redirect_to posts_url, :status => :see_other
  56 + # redirect_to :action => 'index', :status => 303
  57 + #
48 58 # It is also possible to assign a flash message as part of the redirection. There are two special accessors for the commonly used flash names
49 59 # +alert+ and +notice+ as well as a general purpose +flash+ bucket.
50 60 #

0 comments on commit a72fe84

Please sign in to comment.
Something went wrong with that request. Please try again.