W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Is OPTIONS Safe?

From: Mark Nottingham <mnot@mnot.net>
Date: Wed, 3 Jun 2009 12:23:24 +1000
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <226E255D-C2F9-463C-B0B3-14B2FE079386@mnot.net>
To: John Kemp <john@jkemp.net>
Yes, that's what I'm suggesting.

Cheers,


On 03/06/2009, at 11:33 AM, John Kemp wrote:

> Mark Nottingham wrote:
>> p2 7.2 currently says about OPTIONS:
>>> This method allows the client to
>>>   determine the options and/or requirements associated with a  
>>> resource,
>>>   or the capabilities of a server, without implying a resource  
>>> action
>>>   or initiating a resource retrieval.
>> That sounds safe to me,
>
> From p2 7.1.1:
>
> "In particular, the convention has been established that the GET and
> HEAD methods SHOULD NOT have the significance of taking an action
> other than retrieval.  These methods ought to be considered "safe".
> This allows user agents to represent other methods, such as POST, PUT
> and DELETE, in a special way, so that the user is made aware of the
> fact that a possibly unsafe action is being requested."
>
> Which suggests to me that "safe" currently means that _only_ a  
> retrieval operation takes place with safe methods.
>
>> but I don't see anywhere where this is said explicitly.
>
> It seems to me that the definition of "safe" would then have to  
> include operations which do not initiate a resource retrieval at all  
> (eg. OPTIONS)
>
>> The answer matters for things like redirection without user  
>> intervention (assuming we keep that requirement).
>> Proposal: Specify that OPTIONS is safe.
>
> By updating 7.1.1?
>
> Regards,
>
> - johnk
>
>> Cheers,
>> -- 
>> Mark Nottingham     http://www.mnot.net/
>


--
Mark Nottingham     http://www.mnot.net/
Received on Wednesday, 3 June 2009 02:24:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:03 GMT