- From: Larry Masinter <LMM@acm.org>
- Date: Tue, 16 Apr 2002 22:10:30 -0700
- To: "'Roy T. Fielding'" <fielding@apache.org>
- Cc: <www-tag@w3.org>
I'm going to leave out the discussion of SOAP, since it isn't directly related to the subject line (when to use Get) > File upload is not a safe operation. Whether file upload is safe depends on the application. Why isn't http://validator.w3.org/file-upload.html safe? > In general, most applications > that involve user-supplied data being supplied to the server are not > safe. Often not, but sometimes yes. > The only exception is when the information is in the form of > generalized query parameters, for which there is a trade-off between > GET and POST that usually involves the size of the parameter content. There are other exceptions; for example, where the parameter content contains non-ASCII strings; also, XForms presumes an XML content model that isn't nicely encoded in URL parameters. > GET is only desirable for those cases where the parameters can be > expressed as a meaningful URI. Even then, there are other preconditions. > The Safe header field was not > implemented because it is utterly pointless to know whether or > not a message is safe *after* it has been invoked. No, it isn't 'utterly pointless'. One of the primary use cases for knowing about whether a method was 'safe' was to decide whether it was OK to re-do the method without warning the user, as is now done with POST. A Safe POST could be redone (click Reload) without prompting, and knowing after the fact was as useful as knowing before.
Received on Wednesday, 17 April 2002 01:11:17 UTC