gateway: clarify 3XX on trustless gw

Open lidel opened this issue 10 months ago • 0 comments

Writing down clarification proposed by @hsanjuan idea from https://github.com/ipfs/boxo/issues/862#issuecomment-2693727250

This PR clarifies that trustless gateways and clients SHOULD avoid returning and processing HTTP 3XX redirects. Gateway URL changes should be performed by updating entry in routing systems instead.

Rationale:

3XX redirects create unnecessary overhead for trustless clients
- need to open new connections to different servers
- requiring extra headers for detecting and avoiding loops (https://github.com/ipfs/boxo/issues/862)
- it is desirable for spec to nudge implementers towards best practices that remove redirect overhead from server and client
opt-out from following redirects is relatively easy to implement:
- go: ErrUseLastResponse can be returned by Client.CheckRedirect
- js: disable via fetch(url, {method: 'GET', redirect: 'manual'}) and then response can be inspected if response.type === 'opaqueredirect'

cc @hsanjuan (boxo/rainbow) and @SgtPooki @2color (helia/verified-fetch/inbrowser.link) for feedback.

Mar 04 '25 00:03 lidel