W3C home > Mailing lists > Public > public-webapi@w3.org > June 2006

Re: Extension HTTP methods

From: Hallvord R. M. Steen <hallvord@opera.com>
Date: Mon, 12 Jun 2006 11:37:34 +0200
To: "Julian Reschke" <julian.reschke@gmx.de>, "Ian Hickson" <ian@hixie.ch>
Cc: "Gorm Haug Eriksen" <gormer@opera.com>, "Mark Nottingham" <mnot@yahoo-inc.com>, "Mark Baker" <distobj@acm.org>, "Anne van Kesteren" <annevk@opera.com>, "Pete Kirkham" <mach.elf@gmail.com>, "Web APIs WG (public)" <public-webapi@w3.org>
Message-ID: <op.ta000wsxa3v5gv@id-c0418.upc.no>

On Sun, 11 Jun 2006 22:02:15 +0200, Julian Reschke <julian.reschke@gmx.de>  
wrote:

>>  Wouldn't sending a body with a method that doesn't allow a body result  
>> in allowing request smuggling?
>
> Well, in only in a broken implementation. See  
> <http://greenbytes.de/tech/webdav/rfc2616.html#rfc.section.4.3>:

The request smuggling whitepaper demonstrated that major and widely used  
servers and proxy servers were broken, or parsed things differently in a  
way that enabled request smuggling...

> "The presence of a message-body in a request is signaled by the  
> inclusion of a Content-Length or Transfer-Encoding header field in the  
> request's message-headers. A message-body MUST NOT be included in a  
> request if the specification of the request method (Section 5.1.1) does  
> not allow sending an entity-body in requests. A server SHOULD read and  
> forward a message-body on any request; if the request method does not  
> include defined semantics for an entity-body, then the message-body  
> SHOULD be ignored when handling the request."

..possibly because the final SHOULD really SHOULD have been a MUST..?

-- 
Hallvord R. M. Steen
Core QA JavaScript tester, Opera Software
http://www.opera.com/
Opera - simply the best Internet experience
Received on Monday, 12 June 2006 09:35:24 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT