W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > April to June 1999

Re: Some problems with the WebDAV protocol

From: Yoram Last <ylast@mindless.com>
Date: Tue, 20 Apr 1999 19:50:05 +0300
Message-ID: <371CB03D.6723C226@mindless.com>
To: w3c-dist-auth@w3.org
> The rationale for the extra constraints on PUT in WebDAV is:
> * Prevention of creation of intermediate collections on user error.
> Say I'm authoring a resource with URL:
> http://authoring.mycorp.com/users/jim/1999_reports/q1_report/rpt.htm
> And suppose that the server supports PUT, and does actually create
> intermediate collections as needed (as allowed by HTTP/1.1):
> Now, what happens if, when I go to save a backup of this report, I type in
> the URL:
> http://authoring.mycorp.com/users/jim/1999-reports/q1_report/rpt.htm
> (That is, the "_" in "1999_reports" is now a "-") Now, instead of getting an
> error, my server has gone ahead and made two new collections for me
> (1999-reports, and "q1_report"), a behavior I did not want.

This seems like a fairly mild problem. Besides, the potential for
having this problem is purely the result of a user interface that lets
you create a whole path with one command. It has nothing to do with
the protocol. You can (and surely will) have applications that would do
that anyway, namely, you will type the desired URI, and then the client
program would automatically create the missing collections with MKCOL.
What does it matter if this is done by the client or the server? 

> * Not *requiring* the creation of intermediate collections to support
> namespace consistency
> As far as HTTP/1.1 is concerned, a server is free to have what I term "free
> floating URLs", URLs that, if you remove the last path segment, do not
> resolve to a resource.
> For example:
> http://example.com/foo/fuzz/bar.html
> This URL would be free floating if you removed the "bar.html" path segment
> to create:
> http://example.com/foo/fuzz/
> AND if this URL is not mapped to a resource.
> In WebDAV, we wanted to prevent free-floating resources, since they would
> violate namespace consistency (that, ideally, every URL for a DAV-compliant
> resource must belong to a collection).

I fail to see what is the problem. If a server has a problem to create certain
URI's, because that would conflict with namespace consistency, then it shouldn't
allow *those* URIs to be created. Clearly in many cases, the server can create
the "missing" collections without any namespace consistency problems.

> This would have required us to add a
> requirement that a PUT to a URL would have to create all intermediate
> collections.  But, this seemed to us to be adding excessive side-effects to
> PUT, especially since a user might not even want those extra collections to
> be created (i.e., they might have just committed an error).

Why do you think that you must *require* things to be one way or the other?

> So, while you may not agree with this rationale, the requirement was not
> added arbitrarily.

I actually agree that if you have MKCOL, then it makes more sense to use it,
but your arguments for why PUT-based creation of collections must be
completely banned are very weak. It is pretty close to arbitrary.

> OK, so given that WebDAV has this extra requirement on PUT that HTTP/1.1
> does not have, you are assering that a downlevel HTTP/1.1 authoring client
> would experience interoperability problems authoring against a DAV server
> (or a DAV-capable portion of a server's namespace).  It seems to me that, if
> users of these downlevel clients depend on the side-effect behavior of PUT
> to create intermediate collections, they might indeed have some difficulty
> authoring against a DAV-capable server.
> So, having agreed to your main point, we are now left to argue over the
> severity of this interoperability problem.  I assert that it is minor, since
> there are several existing workarounds.
> Workaround #1:
> Use an existing DAV client as a helper to create the intermediate
> collections.
> This addresses your question:
> > And how do I do a MKCOL if I use Amaya, Netscape composer, AOLpress,
> etc.,...?
> Use the helper to do the MKCOL (or create the collections in the underlying
> repository, if you have access).
> Workaround #2:
> Don't author in spaces where you don't already have an existing collection.

A non technical user that is used to using a given application in a certain
way is not going to be happy with any of that. Forced migration of large
user populations to doing things differently is a big headache even when
the new ways are more convenient than the old ones. Forced migration of
large user populations to such awkward workarounds is pretty much out of
the question.

> Since my personal use of HTTP/1.1 authoring tools has always been in an
> existing collection, it seems to me that these workarounds would be
> satisfactory.  Do you have real-world use scenarios in which these scenarios
> would not work?  If so, are these common use cases, or rare use cases?

I don't have any statistical data how commonly people use PUT-based
applications for web publishing, and how many of them have the habit
of creating directories in this way. Nor do I have the slightest idea how
one might be able to get such data in a reliable way. Surely, ftp is more
popular, but given the large number of PUT-enabled applications and the
convenience of using the same namespace for both viewing and uploading, I
tend to believe *some* people are using it. If a large hosting operation
has even a small percentage of its users relying on that functionality,
they may run into a serious headache if they suddenly disable it. I think
that breaking existing applications (and even more so breaking people's
work habits) is something that should be avoided unless it is truly
necessary or proven to be a non-issue (not the other way around).

I agree that this whole thing is not such a "big" issue, but not for the
same reason as you. The thing that makes it pretty benign is that nothing
at all will happen to WebDAV interoperability if this requirement would
be ignored. So for anyone who is primarily interested in getting things
to work, the choice is between zero loss on one hand and some (no matter
how small) loss on the other. So the main problem I see here isn't that
applications will really get broken, but that you have a part of the
protocol whose main function is to encourage non-compliance with that
protocol, and this tends to open the way for further non-compliance.
It isn't a good thing.

> Since RFC 2518 is now a Proposed Standard, you would have to provide an
> extremely compelling argument, backed up with significant documentation,
> that this document is causing common and widespread interoperability
> problems for it to be modified, and re-issued.  At present, it is my opinion
> that you have not done so.

I do not consider this my personal problem. I'm basically just submitting
a bug report. If you want to call it a feature, then fine. I feel like my
moral duty was done. This particular bug, by the way, is very easy to fix.
Assuming you want minimal disturbance to the protocol, then all it takes
is changing one MUST to a SHOULD.

You don't say anything about the DELETE issue. Do you think that it's a
kosher thing to send 207 responses that are really error responses to
(non-WebDAV) HTTP/1.1 clients? Some people previously suggested that since
HTTP/1.1 says that a 2xx response to a DELETE is not an absolute commitment
to having the resource deleted, then you are allowed to always send a 2xx
regardless of the outcome. This is a distorted interpretation of HTTP/1.1.
It says that a 2xx response to a DELETE indicates the acceptance of the
request as such, and that there might still be a chance that this request
will be rejected in the future due to the possible existence of further
control mechanisms such as human intervention. This is not the same as
responding with a 2xx in cases where the server fully and clearly rejects
the request, and nobody in his right mind will design a purely HTTP/1.1
server to behave in this way.

This particular DELETE problem can also be given a relatively simple
pointwise solution: Just make it a MUST for the client to submit a
Depth header, so the client would be actually identifying itself as
a WebDAV client in this way, and the server would be allowed to use
HTTP/1.1 semantics for the DELETE if a Depth header is not included.
While it might not be elegant to use a Depth header to convey information
that isn't related to a requested depth, it will work.

What seems to really be going on here, is that some of you guys are
basically saying: Look, we have this new protocol that is designed
the way we think it should be, and we don't care all that much about
other protocols and existing applications. So, unless someone *proves*
that our protocol "is causing common and widespread interoperability
problems" we don't really mind sending bogus response codes and breaking
some functionality. People should just upgrade to use our new stuff.

This is simply a rude (if not arrogant) approach, and it has the potential
to backfire in some counter-productive ways. You seem to consider it an
axiom that people will just accept your approach, and will blindly implement
whatever you write. This is NOT how the real world works. As an implementor,
*I* may decide that there are currently more HTTP/1.1 clients than there are
WebDAV clients, and since I want to support both, I will simply ignore your
prohibitions on PUT (which wouldn't cause any real problem) and also keep
my implementation of DELETE compliant with HTTP/1.1 (if I'm forced to lie
to some clients about the outcome, then I might choose to lie to the
WebDAV client rather than to the HTTP/1.1 client).  At this point some
important WebDAV functionality is lost, because the 207 response mechanism
to a DELETE carries important information. Now, it is sufficient that
*some* implementations would do that (need not be most) in order to break
the ability of WebDAV clients to count on this mechanism to work properly
(and some client implementors might even guess this potential problem in
advance, and will not count on this portion of the protocol to get implemented).
And then clients would need to use workarounds (for example, they can followup
on any DELETE with a PROPFIND to find out what really happened). At this
point of the cycle, there is no longer any motivation for server
implementors to implement this part of the protocol, so ooops, before
you know it we just lost a piece. 

Commercial application vendors can sometimes break older applications
(even in a premeditated intentional way) in order to force people to
upgrade to the latest generation. In an open standards environment, you
simply can't do that, because you don't have the muscle. So protocols
should try to be friendly, or else it's their own value that is getting

I think there are more problems with the current protocol than you might
realize at this point. The MOVE/COPY issue, that had been discussed in a
number of recent posts to list, seems like a bigger thing. Particularly,
since the primary WebDAV client in existence (Microsoft web folders)
seems to be built on the assumption that MOVE/COPY work differently
than what the protocol says. Regardless of who's fault this is, anyone
that would currently implement a server that does what the protocol says
it should do (for these requests) will have a serious problem on his hand.
So I tend to believe that, one way or the other, there will be some
changes made to this protocol in the not to distant future, and I think
that at that opportunity the PUT/DELETE issues should also be resolved.

Received on Tuesday, 20 April 1999 12:50:36 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 15:01:19 UTC