HTTP Redirect Codes (3xx) and the Location Field

Over the last days some including me have opened tickets in wordpress trac touching the HTTP transport layer and redirection in specific.

As with my previous HTTP related review of worpdress, this is getting more and more interesting and detailed as well.

Especially two recent tickets (#16855, #16888) made me review the use of the Location header field in combination with redirect status codes in RFC 2616 – Hypertext Transfer Protocol — HTTP/1.1.

Review

Looking from the HTTP Status Code sepcifications in the redirection class, the following table tries to give an overview:

Code Server User-Agent
300 Multiple Choices SHOULD include MAY use for automatic redirection
301 Moved Permanently SHOULD be given MUST NOT automatically redirect
302 Found SHOULD be given MUST NOT automatically redirect
303 See Other SHOULD be given SHOULD retrieve by GET
304 Not Modfied n/a n/a
305 Use Proxy MUST MUST
306 (Unused) (was: Switch Proxy)
307 Temporary Redirect SHOULD be given MUST NOT automatically redirect

Looking from the Location field specification, the related information is more broadly:

For 3xx responses, the location SHOULD indicate the server’s preferred URI for automatic redirection to the resource. The field value consists of a single absolute URI.

The location field is used for other status codes as well (e.g. 201), I was not able to compile a full list so far.

Summary

The Location field plays an important role in the HTTP 3xx redirect status-code class, the usage varies a bit between the different codes, but genreally it was designed for automatic redirection.

Automatic redirection is not always considered safe these days, so take care – user-agents may not perform them anyway according to the specs.

An interesting information bit is, that servers and applications should not expect clients to handle more than 5 redirects in a row for compatibility reasons. There is more in Redirection 3xx so it’s probably worth for a second write-up of HTTP redirects for web-developers in general with a comparison between HTTP/1.0 and HTTP/1.1 as well.

About these ads
This entry was posted in Hacking The Core, Pressed and tagged , , , , , , , , , . Bookmark the permalink.

One Response to HTTP Redirect Codes (3xx) and the Location Field

  1. edelwater says:

    Nice info thanks!,

    2 things I noticed while playing with this in WP, maybe interesting for someone writing the same kinda thing and finding this post:

    1. While it was adviced to get the HEAD first and then GET if not a redirect (or 5x etc) I noticed sites that give 405 method not allowed (no head) and sites that give a 200 in the HEAD and 3xx when doing a get, etc.. etc… So I decided to no longer do HEAD first and always just GET. Saves a lot of requests.

    2. Some sites use the redirection HTML tag /Javascript redirection in the head or body instead of the 3x redirect status, I almost forgot about that. So if you are building something that really has to follow redirects apart from the WP HTTP API work you need to parse the initial html piece also and presumably dom xpath that one also for that tag(s), take the first one found, then redirect to somewhere else… which may be anywhere. And depending on the WP plugin at the same time parse the canonical link(s).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s