The changes discussed in the post just seem dumb to me, but I assume there has to be some reasoning behind them.
People use HTTP for two things these days:
1. Its originally-stated purpose--an application-layer protocol that allows web browsers to retrive hypermedia documents from web servers. In this usage, HTTP replaced Gopher+FTP.
2. A transport-layer protocol, with features such as identified sub-flows (requests in a pipelined keepalive connection, websockets, etc.), several usefully-different varieties of caching, protocol feature autonegotiation, presentation-layer autonegotiation (Accept headers), automatic redirection semantics, optional encryption (TLS+HSTS+CORS = probably the most well-thought-out security-boundary semantics of any protocol we've got), etc. In this usage, HTTP basically supercedes TCP.
There's a vicious circle here: as HTTP gains traction in sense #2, businesses become increasingly unwilling to allow anything other than HTTP-in-sense-#2 through their firewalls. Eventually, HTTP may be the only transport-layer protocol.
And, given that, on a stance of complete pragmatism where we can't prevent this from happening, only try to make the best of the situation... we need an HTTP-in-sense-#2 that can actually support being used as a universal transport-layer protocol for all of the Internet's traffic.
What does that mean? Well, it means, for one thing, making HTTP lower-overhead (i.e. binary.) It means making HTTP not only work in situations we'd previously have used TCP (e.g. websockets), but also situations where we'd have used UDP (e.g. VoIP streaming.) It means, well, doing pretty much everything HTTP2 does.
Note, though, that HTTP in sense #1 will likely always be around. Nobody who uses HTTP to transfer hypermedia documents between web browsers and web servers needs to switch to HTTP2. HTTP2 can do that, but it isn't for that. (Though, practically, doing HTTP-type stuff over HTTP2 will likely be both faster and more secure.)
Worse is better strikes again!
No, seriously; this is terrifying.
Would you trust this unstable "pragmatic" house of card to deliver its promises of being "working"?
HTTP2 redefines 301 to match current practice (permanent redirect that changes from POST to GET), and defines a new 308 to try again to get a permanent redirect that doesn't change the method.
I think the issue here is that 301 and 302 were originally intended to preserve the HTTP method but they became permanent and temporary versions of "issue a new request with a GET". So to try and fix that they provided 307 (and now 308) as temporary and permanent versions of "this resource changed location, so reissue this request at the new URL".
I actually wrote a post about this a couple of days before RFC 2616 got marked for official deprecation: https://aprescott.com/posts/http-redirects
I plan on updating that with more information once a proper RFC deprecates 2616 and 308 makes its way into something other than a referenced alternative, as it is in the current draft last time I checked.
Also, for fun, try pointing curl at a server returning various response codes and see what it does with `-X [method]` and compare it with the latest Chrome and Firefox.
Meanwhile, hobohacker got around to answering the real question.
- HTTP2 != httpbis. Both work is being done by the same working group "httpbis". http://datatracker.ietf.org/wg/httpbis/charter/ covers this. httpbis (http://stackoverflow.com/questions/9105639/httpbis-what-does...) was originally chartered to revise HTTP/1.1 (RFC2616)
The working group will refine RFC2616 to:
* Incorporate errata and updates (e.g., references, IANA registries, ABNF)
* Fix editorial problems which have led to misunderstandings of the specification
* Clarify conformance requirements
* Remove known ambiguities where they affect interoperability
* Clarify existing methods of extensibility
* Remove or deprecate those features that are not widely implemented and also unduly affect interoperability
* Where necessary, add implementation advice
* Document the security properties of HTTP and its associated mechanisms (e.g., Basic and Digest authentication, cookies, TLS) for common applications
As for the HTTP/2 work, here's a snippet from the charter on that:
The Working Group will produce a specification of a new expression of HTTP's current semantics in ordered, bi-directional streams. As with HTTP/1.x, the primary target transport is TCP, but it should be possible to use other transports.
- He seems to think the httpbis folks gratuitously redefined 301. It should be noted that RFC2616 (which, by definition, predates the httpbis work since httpbis is defined to revise RFC2616) had already noted the issue with 301 (http://tools.ietf.org/html/rfc2616#section-10.3.2):
Note: When automatically redirecting a POST request after receiving a 301 status code, some existing HTTP/1.0 user agents will erroneously change it into a GET request.
- It's unclear to me whether or not the author acknowledges the existence of buggy implementations as noted in section 10.3.2. It's an open question as to what to do in the presence of buggy implementations. From a server standpoint, if the client is buggy, and you don't want to break the client (willingness to break clients probably depends on how many of the server's users use that client), then you will attempt to work around it, irrespective of what the standard says. Therefore, it's simply pragmatic to ignore the spec if it doesn't mirror reality, and pragmatic spec editors may update the spec to acknowledge this difference.
- As far as current status of the various 308 usages, Julian (author of the 308 draft) is lobbying major user agents to adopt this, and has written up a status update on the Chromium bug tracker: https://code.google.com/p/chromium/issues/detail?id=109012#c....
For the rest of us, the language from OP sure sounds like it's saying, "yeah do whatevs with 301, we give up".
People often read RFCs in a hurry. Wouldn't this be a great place to use the a "SHOULD NOT" (change the request method)?
If you're saying "MUST NOT" would be bad because the horse is out of the barn, I understand. But the draft language now sure sounds like "MAY", and the OP has a good point that it's likely to encourage more wrong behavior, not less.
At least IMHO. Again, I am not a standards lawyer, so please take this feedback accordingly.
Now, as far as "SHOULD NOT", that's a reasonable thought for people not aware of what popular user agents currently do. The thing is, the majority of major browsers rewrite POST to GET on a 301. Here's my browser's code for it: https://code.google.com/p/chromium/codesearch#chromium/src/n.... Here's Firefox's code for it: http://mxr.mozilla.org/mozilla-central/source/netwerk/protoc.... To my knowledge, all browsers implement this behavior. We basically copied IE's behavior, because, IE did it and websites expected all user agents to do what IE did. Story of the web, sound familiar? :P
So, as you can see, Julian was merely acknowledging the pragmatic reality of the situation when he updated the httpbis specs to reflect this behavior: http://trac.tools.ietf.org/wg/httpbis/trac/changeset/1428. And this reasoning behind it is covered in the introduction to the relevant section in the httpbis docs: http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-2....
"SHOULD NOT" implies that our implementations are behaving badly. Now, it's true, our implementations may not be behaving ideally from a spec cleanliness point of view, but interop trumps spec cleanliness, at least from the perspective of anyone who actually deploys real software on the internet. So it's probably best for the spec to acknowledge this and officially allow this. Specs that don't mirror reality are...probably not just useless, but actively harmful.
I hope that explains things, cheers.
> existing practice today is that 301, 303, and 307 are used correctly pretty much everywhere
is flat out wrong. I guess that's a nicer and more probable resolution than "standards people suck!".
(It is possible to override this behavior in the client with a bit of code, but I was trying to make this work with software that had already shipped.)
Sure, if you don't have a visual impairment. I do, and even though it's a very mild one, if one in 100 blog posts submitted to HN consider changing their colour scheme due to people complaining about it I would say it is worth it. And frequently I do see people changing their colour schemes based on HN feedback.
(depth of this thread and meta-meta-meta acknowledged and ceased)
font-family: 'Lucida Grande';
I also feel pretty confident in saying that it will be the browsers that will be perceived to be "in the wrong" when they reject or ignore such responses, even though it's solely the fault of bad web apps. (See how browsers today need to accept and try to correctly handle totally broken and incorrect markup, for instance.)