86

I'm automating a web application (the Mantis bug tracker) and I'm getting an interesting response header from it, called Refresh:

HTTP/1.x 200 OK
...
Refresh: 0;url=my_view_page.php

It seems to be acting the same way that meta refresh does, and the meta refresh technique implies that it is an equivalent of a header in HTTP.

Problem is, I can't find any mention of the Refresh header in the HTTP standard or any other definitive documentation on how it should be parsed and what the browser should do when it encounters it.

What's going on here?

bignose
  • 30,281
  • 14
  • 77
  • 110
elifiner
  • 7,347
  • 8
  • 39
  • 48
  • 4
    What I want to know is why the script is sending a `Refresh` header field, when it could be using a 302 response instead. – C. K. Young Nov 12 '08 at 12:18
  • I don't know, that's what Mantis does, probably when it run on PHP over ASP.NET, which is kind of a weird combo which my client has. – elifiner Nov 12 '08 at 12:20
  • Note: This header should be avoided for performance reasons. See http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/meta-refresh-causes-additional-http-requests.aspx – EricLaw May 21 '11 at 14:32
  • 2
    @EricLaw minor correction: if using a refresh header or meta tag with a delay of 0, one should almost always use a 301 or 302 redirect, instead, for the reasons you specified; however, there are some rare cases where using this does makes sense, such as where there is a non-zero delay and there is meaningful content to be shown on the page (e.g. to show the user a success or error message before returning to a form, for example). – Michael Aaron Safyan Dec 27 '14 at 01:13
  • Even facebook uses it when a user clicks on a non FB link. seems really anoying as it will also remove hashbangs while refreshing. – Nikhil Sahu Jan 23 '19 at 11:23

5 Answers5

70

As far as I know, Refresh (along with Set-Cookie and possibly some other proprietary pseudo-headers) were created by Netscape in the very early days of the internet and have been basically (but not quite) standard since then. Because just about every browser supports it, Refresh is pretty safe to use -- and commonly is.

I guess it never became part of the official standards because they already had provisions for that with the status codes.

Alistair
  • 8,066
  • 14
  • 39
  • 43
  • 14
    Yep. It was created to support ‘client pull’, back in the Netscape 1.1 days when ‘client pull’ and ‘server push’ were super duper new buzzwords and adding random vomitously-broken ‘HTML extensions’ was positively demanded. IE-haters: Microsoft have nothing on Netscape... – bobince Nov 12 '08 at 12:48
  • 8
    @PointedEars, this answer is 5 years old and the author was last seen last year. Quite bold on your end to expect it to change. Until then, though, the `Refresh` header is [acknowledged](http://www.w3.org/TR/WCAG20-TECHS/H76) by the W3C through the "META refresh" appellation, and according to Wikipedia, [IE, Firefox, Chrome (and Safari) and Opera all support it](http://en.wikipedia.org/wiki/Meta_refresh#Usability). – zneak Feb 18 '14 at 19:13
  • @zneak It is irrelevant how old the statements are as long as they are unfounded. I do not think it is bold of me to point out that they are unfounded. As for “acknowledged by the W3C”, you have cited a *Working Group Note*. Indeed, [the W3C in general begs to differ](http://www.w3.org/QA/Tips/reback). Opera supports the feature that much that it can be *disabled* by the user in the Preferences dialog since quite a while. – PointedEars Feb 24 '14 at 23:12
  • 2
    @PointedEars, note that the reason cited on the page you linked is "it breaks the back button", not "it's not going to work". It even describes *what happens* when you use the `Redirect` header/``. My point was mostly that you downvoted a post that has been disowned for all practical purposes; if you want it to change, you'd be better served by getting your hands dirty rather than by casting a vote. – zneak Feb 24 '14 at 23:51
  • @zneak You are confusing the issue, missing the point. Neither the Working Group Note that you cited nor the QA Tip that I cited is referring to a *HTTP* `Refresh` header (field); they refer to a *HTML `meta` element* instead (that is intended to be equivalent to such a header field). (`Redirect` is something different than you think.) I contend that apparently Chromium 32 supports such an HTTP header field (so it is possible that other browser do), but that was _not_ the question. IOW, the answers so far do not address the question. In particular, this answer does not. It was to be downvoted. – PointedEars Feb 25 '14 at 14:00
23

from the W3C HTML 4.01 specification, quote:

META and HTTP headers

The http-equiv attribute can be used in place of the name attribute and has a special significance when documents are retrieved via the Hypertext Transfer Protocol (HTTP). HTTP servers may use the property name specified by the http-equiv attribute to create an [RFC822]-style header in the HTTP response. Please see the HTTP specification ([RFC2616]) for details on valid HTTP headers.

What this means is that when you use the <meta http-equiv="refresh" url="..."/> tag, you are actually instructing the browser to act as if there were a Refresh header being sent.

a good overview of the history of it can be found at http://www.securiteam.com/securityreviews/6Z00320HFQ.html

Community
  • 1
  • 1
Loki
  • 6,205
  • 4
  • 24
  • 36
  • 12
    I know http-equiv is the same as sending an HTTP header. What I wanted to know was where the HTTP Refresh header came from and where it's documented. – elifiner Nov 12 '08 at 12:24
13

According to Wikipedia: URL Redirection:

This is a proprietary/non-standard extension by Netscape. It is supported by most web browsers.

Greg
  • 316,276
  • 54
  • 369
  • 333
6

The "Refresh" HTTP response header has been standardized (for web browsers, anyway) in HTML:

https://html.spec.whatwg.org/multipage/browsing-the-web.html#navigating-across-documents%3Ashared-declarative-refresh-steps

That URL doesn't look so stable, so here are the relevant steps as of 2019-12-03:

  1. If response has a Refresh header, then:
    1. Let value be the isomorphic decoding of the value of the header.
    2. Run the shared declarative refresh steps with document and value.
Mike
  • 123
  • 1
  • 5
5

I believe it was originally a Netscape extension, and was not standardised because it's deprecated by W3C:

http://www.w3.org/TR/WCAG10-HTML-TECHS/#meta-element

Alnitak
  • 334,560
  • 70
  • 407
  • 495