Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Where in the spec is the content-type header filtered out on 301/302/303 redirects? #192

Closed
wisniewskit opened this issue Feb 20, 2018 · 4 comments
Closed

Where in the spec is the content-type header filtered out on 301/302/303 redirects? #192

wisniewskit opened this issue Feb 20, 2018 · 4 comments

Comments

@wisniewskit
Copy link

I'm failing to see where an XHR that's 301/302/303 redirected (as in the tests in /xhr/send-redirect-post-upload.htm) would lose its content-type header to pass those tests, given the XHR and Fetch specs as-written.

That is, during step 4 of the XHR send() method, an author request header for the content-type will be added, but I don't see where it should be filtered out for the redirected request to meet this test's expectations.

I see HTTP-redirect fetch step 11, where the POST will become a GET if needed and the upload body will be nulled out, but where is the content-type filtered out, so that it isn't added right back to the request headers?

In addition, the "301 POST with string and explicit Content-Type safelisted" test in /xhr/send-redirect-to-cors.htm expects its explicitly-set content-type to not be filtered out, but does expect the body and content-length to be stripped away.

And so I'm lead to believe that the content-type header shouldn't be removed when explicitly set by the user (unless blocked by CORS), but it should be removed when it's implicitly computed in send() step 4?
@annevk
Copy link
Member

annevk commented Feb 20, 2018

This is a duplicate of whatwg/fetch#609, right?

@wisniewskit
Copy link
Author

Hmm. They do sound the same (or at least this seems to be a Fetch issue rather then XHR issue), but maybe there's still a detail that hasn't yet been considered.

In both of the tests I mention above, they end up being 301 redirects that drop from a POST to a GET, so both of them should lose their bodies and content-types... but the CORS-related one expects the safelisted content-type header to not be stripped away. And Chrome and Firefox are passing both tests, so I'm not sure why there isn't a conflict between these tests. That's why I think that it matters if the header was explicitly declared, which I don't see being considered in that Fetch issue.

@annevk
Copy link
Member

annevk commented Feb 20, 2018

I suspect that is the inconsistency @ricea refers to in the other issue. We should probably consistently strip.

@wisniewskit
Copy link
Author

Alright, then I'll close this as a dupe and ask in that issue about the inconsistency.

@wisniewskit wisniewskit mentioned this issue Feb 20, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wisniewskit @annevk and others