Re: i24: Requiring Allow in 405 responses from Mark Nottingham on 2008-03-04 (ietf-http-wg@w3.org from January to March 2008)

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 4 Mar 2008 13:18:39 +1100
To: Julian Reschke <julian.reschke@gmx.de>
Cc: John Kemp <john@jkemp.net>, "Roy T. Fielding" <fielding@gbiv.com>, HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <43F660A3-7DBA-4F26-A0B5-9EBFECFC7785@mnot.net>

I think that's the core of the issue, and primary source of confusion.

There is no "the" set of methods; a single request can only contain  
one method, so it's impossible to determine what "the" set of methods  
is; HTTP does not provide atomicity for multiple requests.

Therefore, some frame of reference is needed. Most people seem to read  
"the set of methods" as implying "...that you would accept on this  
resource" for some undefined, fuzzy period of time, and for some  
undefined, fuzzy period of request characteristics. The set may  
contain PROPFIND now, but it may not in three minutes. The set may  
contain POST if you present the right credentials, but may not if you  
don't. And so on.

Add to this the original concern of the issue; that some  
implementations may not be able to determine the complete set at  
runtime.

In short, the phrase does not include "complete", and the set of  
methods that it will accept is not necessarily the inversion of the  
set of methods it won't accept; there is a gray area in between.

One way to fix this is to make the definition of the set less fuzzy,  
but as Roy has pointed out, that's taking liberties.

The other is to document the fuzziness and move on, which is what I'm  
trying to do. If others have better ways of doing that, or a third way  
forward, please say so.

Cheers,

On 04/03/2008, at 2:56 AM, Julian Reschke wrote:

> John Kemp wrote:
>> Why is this additional text necessary? RFC 2616 says that
>> "The purpose of this field is strictly to inform the recipient of  
>> valid methods associated with the resource."
>> There is no requirement, stated or even seemingly implicit, that a  
>> server include ALL valid methods in its response. Only the implied  
>> requirement that a server does not include "disallowed" methods in  
>> the response.
>> ...
>
> Sorry????
>
> "The Allow entity-header field lists the set of methods supported by  
> the resource identified by the Request-URI."
>
> I would say that "*the* set of methods" is clear enough; it doesn't  
> allow a subset.
>
>> ...
>
> BR, Julian

--
Mark Nottingham     http://www.mnot.net/

Received on Tuesday, 4 March 2008 02:18:49 UTC