W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > September to December 1996

Re: draft-holtman-http-safe-00.txt

From: Roy T. Fielding <fielding@liege.ICS.UCI.EDU>
Date: Thu, 10 Oct 1996 11:26:40 -0700
To: Foteos Macrides <MACRIDES@sci.wfbr.edu>
Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
Message-Id: <9610101126.aa14067@paris.ics.uci.edu>
X-Mailing-List: <http-wg@cuckoo.hpl.hp.com> archive/latest/1753
> 	The HTTP/1.1 draft states that Cache-Control and Expires headers
> *can* be used to yield and regulate caching of replies from POST requests.
> What exactly is still being sought via a GETwithBodyInsteadOfSearchpart
> that can't be achieved via a POST with "Safe: yes" and Cache-Control/Expires
> headers?  Are there *any* headers or procedures which can't be made to treat
> a POST with "Safe: yes" as, in effect, a GETwithBodyInsteadOfSearchpart?

It tells the user agent (and thus the user) that it is safe to use
that method even before the first time the method is applied.  That is
why there is a recommended presentational difference between safe and
unknown-to-be-safe methods -- so that the user cannot be tricked into
performing an action that they expected to be safe. This concern was
the basis for TimBL's original security note, and why the HTTP spec
talks about safe methods.

Received on Thursday, 10 October 1996 11:40:25 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:16:20 UTC