- From: Koen Holtman <koen@win.tue.nl>
- Date: Thu, 10 Oct 1996 12:03:21 +0200 (MET DST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: Koen Holtman <koen@win.tue.nl>
Larry requested an internet draft to progress the
REPOST/Idempotent/Redo-Safe/Safe issue, so I made one.
Happy reading!
Koen.
----snip---
HTTP Working Group Koen Holtman, TUE
Internet-Draft
Expires: April 10, 1997 October 10, 1996
The Safe Response Header
draft-holtman-http-safe-00.txt
STATUS OF THIS MEMO
This document is an Internet-Draft. Internet-Drafts are
working documents of the Internet Engineering Task Force
(IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of
six months and may be updated, replaced, or obsoleted by
other documents at any time. It is inappropriate to use
Internet-Drafts as reference material or to cite them other
than as "work in progress".
To learn the current status of any Internet-Draft, please
check the "1id-abstracts.txt" listing contained in the
Internet-Drafts Shadow Directories on ftp.is.co.za
(Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific
Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US
West Coast).
Distribution of this document is unlimited. Please send
comments to the HTTP working group at
<http-wg@cuckoo.hpl.hp.com>. Discussions of the working
group are archived at
<URL:http://www.ics.uci.edu/pub/ietf/http/>. General
discussions about HTTP and the applications which use HTTP
should take place on the <www-talk@w3.org> mailing list.
ABSTRACT
This document proposes a HTTP response header called Safe, which
can be used to label the corresponding POST request as being safe.
This labeling will allow user agents to present services which use
safe POSTs in a more user-friendly way. Improving the
user-friendliness of safe POSTs is considered important, because
web internationalization will depend for a large part on the use of
safe POSTs.
1 Introduction
This document proposes a HTTP response header called Safe, which can
be used to label the corresponding POST request as being safe. This
labeling will allow user agents to present services which use safe
POSTs in a more user-friendly way. Improving the user-friendliness
of safe POSTs is considered important, because web
internationalization will depend for a large part on the use of safe
POSTs.
2 Background
According to Section 9.1.1 (Safe Methods) of the HTTP/1.1 draft
specification [1], POST requests are assumed to be `unsafe' by
default. `Unsafe' means `causes side effects for which the user will
be held accountable'.
If the POST request is unsafe, explicit user confirmation is
necessary before the request is repeated. User agents will repeat
POST requests when the user presses the RELOAD button while a POST
result is displayed, or when the history function is used to
redisplay a POST result which is no longer in the history buffer.
The necessary confirmation dialog often takes the form of a `repost
form data?' dialog box. The dialog is confusing to many users, and
slows down navigation in any case.
In theory, if the repeated POST request is safe, the user-unfriendly
confirmation dialog can be omitted. However, up till now, HTTP has
no mechanism by which agents can tell if POST requests are safe.
This proposal adds such a mechanism.
Many content authors have managed to avoid the confirmation dialog
problem by using GETs for form submission instead of safe POSTs.
However, this escape is not possible for forms
a) which are (sometimes) used to submit large amounts of data
b) which are (sometimes) used to submit data in a charset other
than ISO-8859-1.
Case b) will be the increasingly common; web internationalization [2]
makes it necessary to use the POST method for form submission.
It is therefore considered important to eliminate the unnecessary
confirmation dialogs for safe POSTs as soon as possible. They are a
counter-incentive to the upgrading of GET based forms services (like
search engines) to internationalized POST based forms services.
3 The Safe response header
This header is proposed as an addition to the HTTP/1.x suite.
The Safe response header field indicates whether the corresponding
request is safe in the sense of Section 9.1.1 (Safe Methods) of the
HTTP/1.1 draft specification [1].
Safe = "Safe" ":" safe-nature
safe-nature = "yes" | "no"
An example of the field is:
Safe: yes
If the Safe header is absent, the corresponding request must be
considered unsafe, unless it is a GET or HEAD request. GET and HEAD
requests are safe by definition, user agents must ignore a `Safe: no'
header field in GET and HEAD responses.
Note: User agents can use the received information about safety
when repeating an earlier request. If the request is known to be
safe, it can be silently repeated without asking for user
confirmation.
4 Smooth upgrade path
That the Safe header provides a smooth upgrade path; if a service
switches from GETs to safe POSTs, existing browsers will still be
able to access the service. Its use requires little re-coding effort
for service authors and user agent authors, and is optional in any
case.
5 About syntax
This document mainly intends to recommend a _mechanism_; the syntax
of the corresponding header is considered less important. One
alternative to the addition of a Safe header would be the addition of
a `safe' response directive to the Cache-Control header.
6 Security considerations
This proposal adds no new HTTP security considerations.
7 References
[1] Fielding et al, Hypertext Transfer Protocol -- HTTP/1.1.
Internet-Draft draft-ietf-http-v11-spec-07.txt, HTTP Working
Group, August 12, 1996
[2] Yergeau et al, Internationalization of the Hypertext Markup
Language, Internet-Draft draft-ietf-html-i18n-05.txt, Network
Working Group, August 7, 1996
8 Author's address
Koen Holtman
Technische Universiteit Eindhoven
Postbus 513
Kamer HG 6.57
5600 MB Eindhoven (The Netherlands)
Email: koen@win.tue.nl
Expires: April 10, 1997
Received on Thursday, 10 October 1996 03:10:03 UTC