W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > January to April 1997

draft-holtman-http-safe-01.txt

From: Patrick McManus <mcmanus@appliedtheory.com>
Date: Tue, 18 Mar 1997 10:58:33 -0500 (EST)
Message-Id: <199703181558.KAA25986@pat.appliedtheory.com>
To: http working group <http-wg@cuckoo.hpl.hp.com>
Let's preface this with a little background.. I do a lot of
application design dealing with HTTP.. we have a huge need for some
type of GET-with-body or Post with No side effect type of
functionality in HTTP.. but I think there's a problem with the
draft-holtman-http-safe-01.txt approach.

The draft introduces Safe as a response header which is of course not
initiated in any way by the client.. this leaves no method for the
client to send a request to the server (with a body) that Mandates
that they consent to no side effects.. leading to some particularly
gruesome scenarios:

	* Client gets a page via post.. it's marked Safe
	* Client reloads page page.. no UA confirmation is
asked.. this time a side effect does occur (do to some application
logic.. time of day perhaps) and the response is marked Safe: no..
	* User doesn't reload again.. has no idea that the last load
of page had a different impact than previous loads..

In addition, there needs to be some way for the UA to send a request
that doesn't allow side effects to occur (the current semantics of
GET) for safety's safe, instead of just determining whether or not
they have caused side effects. Holtman does a nice job in section
2 of presenting the reasons why that method must also accomodate a
body.

I'm not sure that there is a better way than a new method.

The recently mentioned draft-ietf-http-uahint-00.txt suffers the same
limitation. 

-P
Received on Tuesday, 18 March 1997 10:02:30 EST

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:32:31 EDT