I completely agree.

Even without getting into API clients, the intent of this option is to tell
everyone that the canonical URL is not that, not disrupt normal operations.
The same can be said about the http->https redirect. There's no security
problem here, as the data has already been sent in plain text, the only
thing that I can think of is whether HSTS preload will support anything
except 301.

I can, however, see a downside, mostly for API clients, but the people that
use the APPEND_SLASH option obviously don't care about this aspect, which
is that API clients generally don't cache 301s between sessions, so every
request will have an extra hop, vs realising instantly that it's broken
(because your POST doesn't work). However, this is something you should
expect, after you set that option.

As a side note, this is the browser support for 308:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308#Browser_compatibility
- IE on Windows 7/8.1 doesn't support it. User agent hacks are bad, but, at
least as a setting that (temporarily) defaults to off this would be a huge
improvement.

On Fri, 11 Jan 2019 at 19:25, René Fleschenberg <r...@fleschenberg.net>
wrote:

> I am using ``APPEND_SLASH = True`` (the default) and usually use a
> trailing slash in all of my URL patterns.
>
> This works great for the most part, but some API clients send
> POST-requests without the slash and then change the request method to
> GET on the subsequent request. In particular, a popular API testing tool
> (https://www.getpostman.com/) seems to be affected by this.
>
> I can subclass ``CommonMiddleware`` and set ``response_redirect_class``,
> no problem. However, maybe Django should just send HTTP 308 by default?
> Is there any reason not to?
>
> --
> René Fleschenberg
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers  (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To post to this group, send email to django-developers@googlegroups.com.
> Visit this group at https://groups.google.com/group/django-developers.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/1aa24da3-cd05-317a-b8c1-2a76d707b935%40fleschenberg.net
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
George-Cristian Bîrzan

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To post to this group, send email to django-developers@googlegroups.com.
Visit this group at https://groups.google.com/group/django-developers.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMxNYaaNdN4oQrQa6csWt_TWE2onShXSrYBfp-CF2ta%2Bunptdg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to