W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2008

RE: PROPOSAL: i24 Requiring Allow in 405 Responses

From: Brian Smith <brian@briansmith.org>
Date: Thu, 20 Mar 2008 07:32:34 -0700
To: "'HTTP Working Group'" <ietf-http-wg@w3.org>
Message-ID: <003d01c88a97$40b44570$0302a8c0@T60>


I agree with your interpretation of what SHOULD means. I mostly agree
with you about the server side, but I disagree that the server should
return 403 instead of 405 if it cannot create an accurate Allow header
field. 403 should only be used when none of the more specific status
codes is applicable, or when one of the other status codes would
disclose too much information. If the server is rejecting the request
solely because of the method used, then 405 is the most appropriate. I
would say that the server SHOULD return an Allow header field in its 405
responses if and only if it can accurately list all of the allowed

I totally disagree with you regarding the client side behavior though:

* The requirements for client processing of 405/Allow do not need to be
stricter than the requirements for client processing of
401/WWW-Authenticate. When the server returns 401/WWW-Authenticate,
there is nothing that says the client cannot submit the request again
unchanged; we rely on common sense there, and we can (and should) rely
on common sense for 405/Allow.

* The SHOULD requirement implies that the client SHOULD maintain state.

* The SHOULD requirement doesn't have any benefit. The server doesn't
benefit because still has to be able to handle requests with methods it
doesn't support.

* Regardless of what the specification says, clients still have to deal
with servers that do not follow the specification. 

Received on Thursday, 20 March 2008 14:33:18 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:45 UTC