Re: GETs with Entity-Body ??

Robert Long wrote:
> I am wondering whether GET requests are allowed to have an Entity-Body?

Kalvinder Singh wrote:
> I can't see any reason why they would not. I have written a small http
> proxy, and I check for the "Content-Length" header to see if there is
> any entity body, and not the METHOD (except for HEAD :).
> Well, it doesn't make any sense for the GET to have a body, since all
> the information (both static and dynamic) are stored in the URL. So
> maybe there is an implementation of a proxy and/or server that gets all
> mixed up when there is a Body in a GET request.

This is probably a good time to remind people of the Robustness
Principle, first stated (although not under that name) in RFC791,
with respect to IP datagrams:

  In general, an implementation must be conservative in its sending
  behavior, and liberal in its receiving behavior.  That is, it must be
  careful to send well-formed datagrams, but must accept any datagram
  that it can interpret (e.g., not object to technical errors where the
  meaning is still clear).

Applying this to the current question: a client implementation
should not send an entity-body with a GET request, because it
has no specified meaning.  BUT: a server ought to accept such
a GET message (and ignore the entity-body), rather than reject
such a message as erroneous.

It's perhaps harder to use this principle to decide whether a proxy
should forward the request intact ("be liberal in its receiving
behavior") or with the body deleted ("be conservative in its sending
behavior").  If the proxy is being used as part of a security
firewall, I'd probably vote for the latter, so as to avoid the
possibility of a covert channel ... but this is debatable, I'm sure.


Received on Tuesday, 19 January 1999 12:12:44 UTC