W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2007

Re: i19 Bodies on GET (and other) requests

From: Henrik Nordstrom <hno@squid-cache.org>
Date: Tue, 16 Jan 2007 01:06:25 +0100
To: Mark Nottingham <mnot@mnot.net>
Cc: "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
Message-Id: <1168905985.32694.39.camel@henriknordstrom.net>
mån 2007-01-15 klockan 17:35 +1100 skrev Mark Nottingham:
> Background at: <http://lists.w3.org/Archives/Public/ietf-http-wg/ 
> 2006AprJun/0103>
> 
> Does anybody have any new information / thoughts about this?

The HTTP protocol message format is quite well defined in when a request
body may be allowed.. pretty much at any time except where it is
forbidden. But in many requests the meaning of said request body is
undefined by HTTP/1.1, but may well be defined by other application
protocols building on HTTP/1.1 as long as it doesn't conflict with
HTTP/1.1. Naturally such uses will be quite limited, but still..

I know the thread perhaps a bit too well, being one of the guilty ones
who instinctively blocked GET requests with a request body. But in
retrospect I did knew what the specs said, just didn't like the effects
it could have on the service provided by the software I write or having
to cover odd undefined cases rarely if ever seen in real life.. so we
blocked them to see if it would cause any problems, which it did some
many years later.. (and by which time we had almost forgot why)

But with applications already out in the field doing this kinds of
requests for various reasons it will be a bit tricky to get them covered
by the specs if straightened up to not allow request bodies where their
use is nonsense under the semantics of HTTP/1.1.

The perhaps biggest problem, apart from some implementations blocking
such requests as "nonsense use of HTTP" is that it may be used as a
covert channel to smuggle data out from a network. But there is a large
number of those in HTTP and related services so not that big of a
problem..  Hmm.. maybe there is also request smuggling attacks possible
here if there is some server/proxy software ignoring that there may be a
request body..

Regards
Henrik

Received on Tuesday, 16 January 2007 00:07:13 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:00 GMT