W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2005

Re: erratum in RFC 2616: 405 should not require an Allow field in response

From: Alex Rousskov <rousskov@measurement-factory.com>
Date: Thu, 23 Jun 2005 17:04:05 -0600
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <1119567845.13799.20.camel@pail.measurement-factory.com>

On Thu, 2005-06-23 at 14:00 -0700, Roy T. Fielding wrote:
> In RFC 2616:
> 
> 10.4.6 405 Method Not Allowed
> 
>     The method specified in the Request-Line is not allowed for the
>     resource identified by the Request-URI. The response MUST include an
>     Allow header containing a list of valid methods for the requested
>     resource.
> 
> which has the effect of requiring that a server advertise all
> methods to a resource.

The MUST requirement does not say "a list of ALL valid methods", but
perhaps that is implied.

>   In some cases, method implementation is
> implemented across several (extensible) parts of a server and
> thus not known.  In other cases, it may not be prudent to tell
> an unauthenticated client all of the methods that might be
> available to other clients.
> 
> I think the above should be modified to s/MUST/MAY/; does anyone
> here know of a reason not to make that change?

RFC 2616 says that "the methods GET and HEAD MUST be supported by all
general-purpose servers". Thus, a general-purpose server (whatever that
is) can satisfy the above MUST by listing GET and HEAD in the Allow
header. Note that unauthorized requests can be denied, if needed.

Said that, I suspect that changing this MUST to SHOULD or MAY will not
have a negative impact on implementations.

Alex.
Received on Thursday, 23 June 2005 23:06:05 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:49:40 GMT