Re: erratum in RFC 2616: 405 should not require an Allow field in response

On Thu, 2005-06-23 at 14:00 -0700, Roy T. Fielding wrote:
> In RFC 2616:
> 10.4.6 405 Method Not Allowed
>     The method specified in the Request-Line is not allowed for the
>     resource identified by the Request-URI. The response MUST include an
>     Allow header containing a list of valid methods for the requested
>     resource.
> which has the effect of requiring that a server advertise all
> methods to a resource.

The MUST requirement does not say "a list of ALL valid methods", but
perhaps that is implied.

>   In some cases, method implementation is
> implemented across several (extensible) parts of a server and
> thus not known.  In other cases, it may not be prudent to tell
> an unauthenticated client all of the methods that might be
> available to other clients.
> I think the above should be modified to s/MUST/MAY/; does anyone
> here know of a reason not to make that change?

RFC 2616 says that "the methods GET and HEAD MUST be supported by all
general-purpose servers". Thus, a general-purpose server (whatever that
is) can satisfy the above MUST by listing GET and HEAD in the Allow
header. Note that unauthorized requests can be denied, if needed.

Said that, I suspect that changing this MUST to SHOULD or MAY will not
have a negative impact on implementations.


Received on Thursday, 23 June 2005 23:06:05 UTC