Re: draft-holtman-http-safe-01.txt

On Wed, 19 Mar 1997, Patrick McManus wrote:

> In a previous episode David W. Morris said...
> 
> :: What would your reaction be to including the safe/uahint header on the
> :: POST request? 
> 
> Wouldn't that be a problem for 1.0 servers/cgis who would ignore the safe
> requirement and process the non safe post anyhow? 

There are also servers/applications which use GET and violate the safe
rule. Your postulate is that an unknown third party is going to reverse
engineer your safe POST interface and you are going to change that
interface to be non-safe. It would be foolish of you to ignore the client
requirement that the request be safe.

> 
> I do believe that control over the issue belongs on the request side
> to maintain symmetry with the way it is now with GET and POST.. I
> almost don't see an alternative to a new method (back to
> GETWBODY). Generally what I'm getting at is the UA has a right to
> dictate whether changes may be made or "I'm just browsing".. (the
> server of course can respond with "get out of here!" if it's process
> requires mores than browsing type permission.)

I don't see that a new method is required. A request header can establish
a R/O requirement ... except it may not be known if the server cares to
obey the reqwuirement.



> My suspicion is the this really should be deferred to 1.2 so a new
> method can be added.

Waiting for a version of HTTP which isn't on any working groups schedule
is a problem.  The requirement you are posing wasn't part of the
discussion (that I can recall) that resulted in the safe: response header.
Improving the usability of internationalized and other applications where
a BODY was required/desired was the motivation. Timely deployment was
considered important.

I think the addition of the UA-Hint response header which carries advice
a user agent can use to improve the application can be incorporated 
within existing HTTP protocols. My intent was that nothing serious breaks
if the header is ignored. (To the extend that an application needs the
improved security from the more precise history list control, they might
need to key off of UA version, etc.)

I don't believe either proposed syntax (safe or uahint) precludes addition
of a new method for GETWBODY.

Dave MOrris

Received on Wednesday, 19 March 1997 13:44:33 UTC