- From: Patrick McManus <mcmanus@appliedtheory.com>
- Date: Tue, 18 Mar 1997 10:58:33 -0500 (EST)
- To: http working group <http-wg@cuckoo.hpl.hp.com>
Let's preface this with a little background.. I do a lot of application design dealing with HTTP.. we have a huge need for some type of GET-with-body or Post with No side effect type of functionality in HTTP.. but I think there's a problem with the draft-holtman-http-safe-01.txt approach. The draft introduces Safe as a response header which is of course not initiated in any way by the client.. this leaves no method for the client to send a request to the server (with a body) that Mandates that they consent to no side effects.. leading to some particularly gruesome scenarios: * Client gets a page via post.. it's marked Safe * Client reloads page page.. no UA confirmation is asked.. this time a side effect does occur (do to some application logic.. time of day perhaps) and the response is marked Safe: no.. * User doesn't reload again.. has no idea that the last load of page had a different impact than previous loads.. In addition, there needs to be some way for the UA to send a request that doesn't allow side effects to occur (the current semantics of GET) for safety's safe, instead of just determining whether or not they have caused side effects. Holtman does a nice job in section 2 of presenting the reasons why that method must also accomodate a body. I'm not sure that there is a better way than a new method. The recently mentioned draft-ietf-http-uahint-00.txt suffers the same limitation. -P
Received on Tuesday, 18 March 1997 10:02:30 UTC