Wrong behavior if delete request receives redirect response #281
Comments
|
Adding some info here tests to update: test_mechanize.rb lines 283 (DELETE), 952 (PUT), 938 (POST) @drbrain Thoughts on returns for a |
|
We should follow RFC 2616 in this manner, if we get a redirect response when we didn't issue a GET or HEAD we should return some special type of response for the user to follow manually. |
ref #281 RFC 2616 section 10.3 example: agent = Mechanize.new page = agent.delete('http://example.com/') page.body #=> "" page['Location'] #=> "http://google.com"
|
@drbrain Can you review that commit, am I missing anything? |
|
I thought I could CC this issue from the commit, but I can't. Looks great! |
|
This change breaks many real websites (I can provide examples - I have a script that logs into Campfire that breaks with this change). While you're correctly following the RFC, all of the major browsers follow a 302 redirect after a POST as well. The RFC defines codes 303 and 307 to disambiguate this case, and further notes that the standard is different than most actual implementations: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html (see the note under "302 Found"). You're absolutely right that this follows the standard more closely, but if the goal of Mechanize is to act like a real browser, this is a step in the wrong direction. |
|
Oops, I did not read the change close enough, you are right. We're only allowed to GET or HEAD after redirect on POST, DELETE, etc., not POST or DELETE after redirect so we should change the method to GET when redirecting (unless the request was HEAD). |
|
The point is that we don't follow a redirect anyway unless its a HEAD or On 8 Feb 2013, at 22:56, Eric Hodel notifications@github.com wrote: Oops, I did not read the chance close enough, you are right. We're only allowed to GET or HEAD after redirect on POST, DELETE, etc., not — |
|
i think we should behave like more browsers. and for the special use case of the issue opener (no redirects at posts) can be solved with the original unchanged code with the option {{@redirect_ok}} set to false see: mechanize/lib/mechanize/http/agent.rb Line 936 in 71602a5 this option let also return the page like its done in the patch 71602a5 |
|
Just for clarification: is OK, but: is NOT OK |
|
@drbrain Yeah from what I can see, this is exactly what happened before. Reverting my changes should resolve this which discards the original issues request. |
|
Can we close this? I reverted the altered code, as it appears Mechanize already behaves as we're discussing it should. |
If one makes a DELETE request and receives a redirect as a response then Mechanize follows the redirect, but as a GET.
Per Eric Hodel:
According to RFC 2616 section 10.3 only GET and HEAD requests may follow redirects.
So it should not follow at all.
I raise the issue as I'm using a commercial product that may issue a redirect in response to a DELETE and expects me to issue a new DELETE to the location specified by the redirect. So I'd love if Mechanize provided some sort of hook to enable that to happen, whether it be raising an exception or setting a flag in some way that I could check to see if I got a redirect and providing a way to extract the new location and reissue the request, or (I'm sure less optimal from your point of view) a way to configure the non-standard behavior for anyone who wanted it.
The text was updated successfully, but these errors were encountered: