W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2010

Re: #230: Considerations for registering new methods

From: Willy Tarreau <w@1wt.eu>
Date: Tue, 19 Oct 2010 11:12:06 +0200
To: "Eric J. Bowman" <eric@bisonsystems.net>
Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <20101019091206.GC12694@1wt.eu>
On Tue, Oct 19, 2010 at 03:07:56AM -0600, Eric J. Bowman wrote:
> "Anne van Kesteren" wrote:
> > 
> > Yeah, for XMLHttpRequest we had to special case GET/HEAD to omit any  
> > passed request entity bodies. We do not want to add more methods
> > there.
> > 
> 
> OK, I understand that.  But does this mean that the no-entity-body
> requirement for GET/HEAD is a historical mistake, or was there some
> reason for parsing these requests differently?  What I'm experimenting
> with is an IDLE method (IMAP has one) very similar to GET, so I'm
> trying to understand why I can't just copy the definition of GET as a
> starting point.  I'm convinced by the responses *not* to do that, but
> wondering what gotcha may be lurking.

IMHO, it is fine to say that the method MUST NOT include a body, but it
is still required to indicate what to do with that body if any is found.
Otherwise, you'd get the same mistake as GET/HEAD consisting in some
implementations not looking at the content-length at all and being
vulnerable to request smuggling attacks.

Regards,
Willy
Received on Tuesday, 19 October 2010 09:13:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:30 GMT