empty form actions

yawnmoth wrote:

Say I have the following HTML:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>

<body>
<form action="">
</form>
</body>

It seems to validate ok and my tests suggest that when the action
attribute is blank, that the action will be assumed to be the current
location, but is this a reasonable assumption? Is a
standards-compliant browser guaranteed to see empty action attributes
as being self-referential actions?

yawnmoth,

No guarantee at all. What the HTML Recommendation says is "User agent
behavior for a value other than an HTTP URI is undefined.".

See http://www.w3.org/TR/html401/interac...ml#adef-action

Chris Beall

yawnmoth wrote:

<form action="">

It seems to validate ok and my tests suggest that when the action
attribute is blank, that the action will be assumed to be the current
location, but is this a reasonable assumption?

I'm given to understand that the URL spec resolves that as the current
URL ... but I've seen browsers treat it as "./", so I'd avoid it.
--
David Dorward <http://blog.dorward.me.uk/ <http://dorward.me.uk/>
Home is where the ~/.bashrc is

Chris Beall wrote:

yawnmoth wrote:

[snip]

>Is a standards-compliant browser guaranteed to see empty action
attributes as being self-referential actions?

Guaranteed? I wouldn't like to say. It certainly should though as that
is how empty URI references are defined.

<aside>
One thing I'm curious about is why IE resolves such URIs correctly for
action attributes, but not anchor href attributes. Perhaps it was one of
those things that Microsoft intentionally broke.
</>

No guarantee at all. What the HTML Recommendation says is "User agent
behavior for a value other than an HTTP URI is undefined.".

Yes, so specifying a URI that uses a ftp or mailto scheme, for example,
leads to undefined behaviour.

Relative URIs are permitted and a relative URI always uses the same
scheme. Therefore an empty URI reference (which is a relative URI) is
also permitted.

[snip]

Mike

Michael Winter wrote:

Chris Beall wrote:

>yawnmoth wrote:

[snip]

>>Is a standards-compliant browser guaranteed to see empty action
attributes as being self-referential actions?

Guaranteed? I wouldn't like to say. It certainly should though as that
is how empty URI references are defined.

Looking to refute this, I found that you're correct, which tells me,
unless I'm missing something *now*, that I and others have been giving
incorrect information here.

From RFC 2396 (http://www.ietf.org/rfc/rfc2396.txt):

4.2. Same-document References

A URI reference that does not contain a URI is a reference to the
current document. In other words, an empty URI reference within a
document is interpreted as a reference to the start of that document,
and a reference containing only a fragment identifier is a reference
to the identified fragment of that document. Traversal of such a
reference should not result in an additional retrieval action.
However, if the URI reference occurs in a context that is always
intended to result in a new request, as in the case of HTML's FORM
element, then an empty URI reference represents the base URI of the
current document and should be replaced by that URI when transformed
into a request.

>
<aside>
One thing I'm curious about is why IE resolves such URIs correctly for
action attributes, but not anchor href attributes. Perhaps it was one of
those things that Microsoft intentionally broke.

IE is definitely wrong. Firefox reloads the current page (including the
original query string!), which the spec passage above says it shouldn't do.

On form submission with the POST method, both browsers conform to the
passage above, even to the extent of including any query string from the
original request. With GET, the form data replaces, rather than being
appended to, the original query string.

Harlan Messinger wrote:

Michael Winter wrote:

>>yawnmoth wrote:

>>>Is a standards-compliant browser guaranteed to see empty action
attributes as being self-referential actions?

Guaranteed? I wouldn't like to say. It certainly should though as
that is how empty URI references are defined.

Looking to refute this, I found that you're correct ...

Always nice to know. :-)

Simple evidence can be found in the reference resolution examples (5.4
in RFC 3986, Appendix C in RFC 2396):

Within a representation with a well defined base URI of

http://a/b/c/d;p?q

a relative reference is transformed to its target URI as
follows.

....

"" = "http://a/b/c/d;p?q"

which tells me, unless I'm missing something *now*, that I and others
have been giving incorrect information here.

Really? Obviously I haven't read every post on the subject sent to this
group, but I've never noticed bad advice (and if I had, I'd have
mentioned it). Still, you've drawn attention to something that I've
overlooked in the past.

From RFC 2396 (http://www.ietf.org/rfc/rfc2396.txt):

By the way, 2396 has been obsoleted by 3986 (the latter being a
standard: STD 66).

[snip]

>One thing I'm curious about is why IE resolves such URIs correctly
for action attributes, but not anchor href attributes. Perhaps it
was one of those things that Microsoft intentionally broke.

IE is definitely wrong.

There was no doubt in my mind about that! It resolves such a URI as if
it were ".".

Firefox reloads the current page (including the original query
string!),

The original query string is to be expected as both the path /and/ the
query string identify a particular resource, so a same-document
reference must include both...

which the spec passage above says it shouldn't do.

....but I had overlooked the part about not re-retrieving the current
document. That said, the URI specifications do not seem to reference or
use RFC 2119 (requirements levels), and even if they did, it would be a
SHOULD, not MUST, requirement.

In this instance, I think there is justification for overriding any such
desire to prevent new requests as a user agent cannot know, just from
the URI alone, whether a new request is actually warranted. After all,
using the example from the RFC, even a URI "d;p?q" would be considered a
same-document reference as it resolves to the base URI. To force a
reload using only a link, one would have to add (and constantly alter)
the query string, or use client-side scripting (not that the latter
would be sensible).

If the desire is to eliminate a new request, then HTTP already provides
a feature capable of that very thing: caching.

On form submission ... With GET, the form data replaces, rather than
being appended to, the original query string.

Yes, I've found that to be annoying and, in my opinion, quite stupid.
Why force authors to include hidden form controls to pass on operational
parameters rather than just using the query string?

Mike

Michael Winter wrote:

Harlan Messinger wrote:

>Firefox reloads the current page (including the original query
string!),

The original query string is to be expected as both the path /and/ the
query string identify a particular resource, so a same-document
reference must include both...

Right, I didn't indicate that I understood this to be correct. It was
more like I was *marveling* that both browsers got that right.

>

>which the spec passage above says it shouldn't do.

...but I had overlooked the part about not re-retrieving the current
document. That said, the URI specifications do not seem to reference or
use RFC 2119 (requirements levels), and even if they did, it would be a
SHOULD, not MUST, requirement.

In this instance, I think there is justification for overriding any such
desire to prevent new requests as a user agent cannot know, just from
the URI alone, whether a new request is actually warranted. After all,
using the example from the RFC, even a URI "d;p?q" would be considered a
same-document reference as it resolves to the base URI. To force a
reload using only a link, one would have to add (and constantly alter)
the query string, or use client-side scripting (not that the latter
would be sensible).

AFAIK, all the browsers know not to reload the page when an HREF points
to an anchor on the current page, regardless of the URI form used in the
HREF (whether http://www.example.com/x#hello, /x#hello, or #hello).

>
If the desire is to eliminate a new request, then HTTP already provides
a feature capable of that very thing: caching.

>On form submission ... With GET, the form data replaces, rather than
being appended to, the original query string.

Yes, I've found that to be annoying and, in my opinion, quite stupid.
Why force authors to include hidden form controls to pass on operational
parameters rather than just using the query string?

Ah, but: if the form appears on the page in response to every submission
of the form by the user, then on the second submission the form's data
will be appended to the existing query string--which already includes
the data from the first form submission. This would likely break
whatever the page was supposed to be doing with the data.

Harlan Messinger wrote:

[snip]

AFAIK, all the browsers know not to reload the page when an HREF
points to an anchor on the current page, regardless of the URI form
used in the HREF (whether http://www.example.com/x#hello, /x#hello,
or #hello).

For fragments, certainly, but they're a special case. The URI
specification refers to all same-document references, as far as I can see.

[snip]

>>On form submission ... With GET, the form data replaces, rather
than being appended to, the original query string.

Yes, I've found that to be annoying and, in my opinion, quite
stupid. Why force authors to include hidden form controls to pass
on operational parameters rather than just using the query string?

Ah, but: if the form appears on the page in response to every
submission of the form by the user, then on the second submission the
form's data will be appended to the existing query string--which
already includes the data from the first form submission. This would
likely break whatever the page was supposed to be doing with the
data.

I don't think I made myself clear. Consider:

<form action="?stage=1" method="get">
<!-- ... -->
<input name="foo" value="bar">
<!-- ... -->

with a base URI of:

http://www.example.com/processor

When submitted, the URI will be

http://www.example.com/processor?foo=bar

not

http://www.example.com/processor?stage=1&foo=bar

I would expect the document URI to be completely replaced, but I don't
see why the query string needs to be stripped from the action attribute
value.

By comparison, making a POST request will use a request URI of:

http://www.example.com/processor?stage=1

In either case, if the form needed to be resubmitted, the action
attribute would still be the same as before, and the new form data would
be sent in addition to that pre-set value. The previously sent data
would not be involved.

Is that a better explanation? I think you thought that I meant that with
a /base/ URI of:

http://www.example.com/processor?name=value

I'd want the URI to be:

http://www.example.com/processor?name=value&foo=bar

or something like that, which isn't the case.

Mike

Michael Winter wrote:

Harlan Messinger wrote:

[snip]

>AFAIK, all the browsers know not to reload the page when an HREF
points to an anchor on the current page, regardless of the URI form
used in the HREF (whether http://www.example.com/x#hello, /x#hello,
or #hello).

For fragments, certainly, but they're a special case. The URI
specification refers to all same-document references, as far as I can see.

[snip]

>>>On form submission ... With GET, the form data replaces, rather
than being appended to, the original query string.

Yes, I've found that to be annoying and, in my opinion, quite
stupid. Why force authors to include hidden form controls to pass
on operational parameters rather than just using the query string?

Ah, but: if the form appears on the page in response to every
submission of the form by the user, then on the second submission the
form's data will be appended to the existing query string--which
already includes the data from the first form submission. This would
likely break whatever the page was supposed to be doing with the
data.

I don't think I made myself clear. Consider:

<form action="?stage=1" method="get">
<!-- ... -->
<input name="foo" value="bar">
<!-- ... -->

with a base URI of:

http://www.example.com/processor

When submitted, the URI will be

http://www.example.com/processor?foo=bar

not

http://www.example.com/processor?stage=1&foo=bar

I would expect the document URI to be completely replaced, but I don't
see why the query string needs to be stripped from the action attribute
value.

By comparison, making a POST request will use a request URI of:

http://www.example.com/processor?stage=1

In either case, if the form needed to be resubmitted, the action
attribute would still be the same as before, and the new form data would
be sent in addition to that pre-set value. The previously sent data
would not be involved.

Is that a better explanation?

Much more clear, thanks.