W3C home > Mailing lists > Public > public-webapi@w3.org > April 2006

Re: Issue: request bodies

From: Jonas Sicking <jonas@sicking.cc>
Date: Sun, 23 Apr 2006 04:28:17 -0700
Message-ID: <444B64D1.4060806@sicking.cc>
To: Maciej Stachowiak <mjs@apple.com>
Cc: Mark Nottingham <mnot@yahoo-inc.com>, "Web APIs WG (public)" <public-webapi@w3.org>

Maciej Stachowiak wrote:

> 
> 
> On Apr 21, 2006, at 9:33 AM, Mark Nottingham wrote:
> 
>>
>> [ from the big comment e-mail; raising as a separate issue, as  
>> requested ]
>>
>> The current draft says that:
>> "If the method is POST or PUT, then the data passed to the send()  
>> method must be used for the entity body."
>>
>> This doesn't account for other request methods that may have a  
>> request body, e.g., PROPPATCH.  Suggested text:
>>
>> "Any data passed to the send() method MUST be used in the entity  
>> body. If data is passed to send() when it is known to be incorrect  
>> (e.g., in GET, HEAD, and DELETE requests), implementations MUST  raise 
>> an error."
> 
> 
> Current implementations silently ignore the body in this case. It  seems 
> like a bad idea to change this to raising an exception, since  it could 
> break existing content that blindly sets a body. But it  seems ok to 
> change the requirement to require ignoring the body for a  specific list 
> of methods, instead of allowing it only for a specific  list of methods, 
> so long as this would not allow security holes or  violations of the 
> http spec.

Agreed. Not following the HTTP spec as written now is a bad idea since 
it could confuse proxies and servers and thereby causing security issues.

/ Jonas
Received on Sunday, 23 April 2006 11:28:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:54 GMT