Re: i24: Requiring Allow in 405 responses from John Kemp on 2008-03-03 (ietf-http-wg@w3.org from January to March 2008)

From: John Kemp <john@jkemp.net>
Date: Mon, 03 Mar 2008 10:03:31 -0500
To: Mark Nottingham <mnot@mnot.net>
CC: "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <47CC1343.4000102@jkemp.net>

Hello,

Mark Nottingham wrote:
> 
> Exactly. We're not here to re-design Allow or come up with a better 
> mechanism; just to clarify what it means today.
> 
> To reiterate, my proposal:
> 
>> "The actual set of allowed methods is defined by the origin server at 
>> the time of each request."
>>
>> to
>>
>> "The actual set of allowed methods is defined by the origin server at 
>> the time of each request, and may not necessarily include all (or any) 
>> methods that the server would actually allow in a request if presented."

Why is this additional text necessary? RFC 2616 says that

"The purpose of this field is strictly to inform the recipient of valid 
methods associated with the resource."

There is no requirement, stated or even seemingly implicit, that a 
server include ALL valid methods in its response. Only the implied 
requirement that a server does not include "disallowed" methods in the 
response.

And let's remember, this Allow header came in a 405 response - the 
client tried something that didn't get it what it was looking for. The 
Allow header says "you tried something I don't allow on that resource - 
I claim that I support these methods on it."

The client can then try again. If it keeps trying unsupported methods 
(which it is free to do of course) it will keep falling afoul of the 
server's (hopefully not merely capricious!) requirements, so it's 
probably best if the client follows the server's advice ("the 
indications given by the Allow header field value SHOULD be followed")

> 
> Some will argue that that's loosening the requirements of 2616; I don't 
> think I buy that, because there isn't a RFC2119-level requirement about 
> the contents of the header.

Right - I don't see it as a loosening - but in my reading of 2616 it 
does seem an unnecessary addition.

- johnk

> 
> Thinking about the subsequent discussion, I'm ambivalent about adding a 
> SHOULD-level requirement on the server side WRT completeness; I think 
> the text above stands on its own.
> 
> Cheers,
> 
> 
> On 01/03/2008, at 7:04 AM, Roy T. Fielding wrote:
> 
>>
>> There is no point in arguing this.  Look at what has been implemented 
>> so far
>> and remove the cases that have not.
>>
>> ....Roy
>>
> 
> 
> -- 
> Mark Nottingham     http://www.mnot.net/
> 
>

Received on Monday, 3 March 2008 15:03:48 UTC