W3C home > Mailing lists > Public > www-tag@w3.org > April 2002

RE: draft findings on Unsafe Methods (whenToUseGet-7)

From: Larry Masinter <LMM@acm.org>
Date: Tue, 16 Apr 2002 22:10:30 -0700
To: "'Roy T. Fielding'" <fielding@apache.org>
Cc: <www-tag@w3.org>
Message-ID: <000a01c1e5ce$36a1ed90$6ace8642@larrypad>
I'm going to leave out the discussion of SOAP, since it
isn't directly related to the subject line (when to use Get)

> File upload is not a safe operation.

Whether file upload is safe depends on the application.
Why isn't http://validator.w3.org/file-upload.html safe?


>  In general, most applications
> that involve user-supplied data being supplied to the server are not
> safe.

Often not, but sometimes yes.

>  The only exception is when the information is in the form of
> generalized query parameters, for which there is a trade-off between
> GET and POST that usually involves the size of the parameter content.

There are other exceptions; for example, where the parameter content
contains non-ASCII strings; also, XForms presumes an XML content model
that isn't nicely encoded in URL parameters.

> GET is only desirable for those cases where the parameters can be
> expressed as a meaningful URI.

Even then, there are other preconditions.

> The Safe header field was not
> implemented because it is utterly pointless to know whether or
> not a message is safe *after* it has been invoked.

No, it isn't 'utterly pointless'. One of the primary use cases for
knowing about whether a method was 'safe' was to decide whether it
was OK to re-do the method without warning the user, as is now done
with POST. A Safe POST could be redone (click Reload) without prompting,
and knowing after the fact was as useful as knowing before.
Received on Wednesday, 17 April 2002 01:11:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:47:06 GMT