W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Julian Reschke <julian.reschke@gmx.de>
Date: Sun, 11 Jun 2006 22:02:15 +0200
Message-ID: <448C76C7.7090601@gmx.de>
To: Ian Hickson <ian@hixie.ch>
CC: Gorm Haug Eriksen <gormer@opera.com>, "Hallvord R. M. Steen" <hallvord@opera.com>, Mark Nottingham <mnot@yahoo-inc.com>, Mark Baker <distobj@acm.org>, Anne van Kesteren <annevk@opera.com>, Pete Kirkham <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>

Ian Hickson schrieb:
> On Sat, 10 Jun 2006, Julian Reschke wrote:
>>> it's very hard for this group and the browser vendors to agree upon 
>>> behaviour. E.g. should an entity-body be passed with the verb? How 
>>> should the browser handle content negotiation?
>> Disagreement here. XHR implementations do not need any special knowledge 
>> about this. If a client supplies a request body, it should be sent. No 
>> problem here.
> 
> Wouldn't sending a body with a method that doesn't allow a body result in 
> allowing request smuggling?

Well, in only in a broken implementation. See 
<http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.3>:

"The presence of a message-body in a request is signaled by the 
inclusion of a Content-Length or Transfer-Encoding header field in the 
request's message-headers. A message-body MUST NOT be included in a 
request if the specification of the request method (Section 5.1.1) does 
not allow sending an entity-body in requests. A server SHOULD read and 
forward a message-body on any request; if the request method does not 
include defined semantics for an entity-body, then the message-body 
SHOULD be ignored when handling the request."


Best regards, Julian
Received on Sunday, 11 June 2006 20:02:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT