- From: Roy T. Fielding <fielding@liege.ICS.UCI.EDU>
- Date: Thu, 10 Oct 1996 11:26:40 -0700
- To: Foteos Macrides <MACRIDES@sci.wfbr.edu>
- Cc: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
> The HTTP/1.1 draft states that Cache-Control and Expires headers > *can* be used to yield and regulate caching of replies from POST requests. > What exactly is still being sought via a GETwithBodyInsteadOfSearchpart > that can't be achieved via a POST with "Safe: yes" and Cache-Control/Expires > headers? Are there *any* headers or procedures which can't be made to treat > a POST with "Safe: yes" as, in effect, a GETwithBodyInsteadOfSearchpart? It tells the user agent (and thus the user) that it is safe to use that method even before the first time the method is applied. That is why there is a recommended presentational difference between safe and unknown-to-be-safe methods -- so that the user cannot be tricked into performing an action that they expected to be safe. This concern was the basis for TimBL's original security note, and why the HTTP spec talks about safe methods. ....Roy
Received on Thursday, 10 October 1996 11:40:25 UTC