W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: Issue: request bodies

From: Mark Nottingham <mnot@yahoo-inc.com>
Date: Sat, 22 Apr 2006 11:23:33 -0700
Message-Id: <D7ADFB7E-C694-4A26-989C-F4B10D824735@yahoo-inc.com>
Cc: "Julian Reschke" <julian.reschke@gmx.de>, "Web APIs WG (public)" <public-webapi@w3.org>
To: Mark Baker <distobj@acm.org>


On 2006/04/22, at 7:45 AM, Mark Baker wrote:

> On 4/21/06, Mark Nottingham <mnot@yahoo-inc.com> wrote:
>>
>> RFC2616, section 4.3;
>>
>> "A message-body MUST NOT be included in a request if the
>> specification of the request method (section 5.1.1) does not allow
>> sending an entity-body in requests. "
>
> Right.
>
>>
>> GET, HEAD and DELETE do not allow for an entity-body in requests.
>
> You'd think so, wouldn't you?  But that's not the case; they all  
> permit them.

It depends on how you read "does not allow"; the definitions of those  
methods do not explicitly allow a body, so if you're a "everything  
not allowed is forbidden" kind of guy (which is how the MUST NOT  
requirement above is written), they *don't* permit them.

I do agree that HTTP isn't very clear on this matter, but I couldn't  
find any immediately apparent discussion in the WG. Do you have a ref?

What do you think a request body on GET will mean? What developers  
will probably do with it -- especially if forthcoming access control  
mechanisms have a higher barrier for POST -- makes me shudder.

> We wouldn't want to profile HTTP, would we? 8-)

*tbbtttbbhbt*

--
Mark Nottingham
mnot@yahoo-inc.com
Received on Saturday, 22 April 2006 18:23:57 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT