W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2009

Re: Is OPTIONS Safe?

From: John Kemp <john@jkemp.net>
Date: Tue, 02 Jun 2009 21:33:59 -0400
Message-ID: <4A25D307.8000703@jkemp.net>
To: Mark Nottingham <mnot@mnot.net>
CC: HTTP Working Group <ietf-http-wg@w3.org>
Mark Nottingham wrote:
> p2 7.2 currently says about OPTIONS:
>> This method allows the client to
>>    determine the options and/or requirements associated with a resource,
>>    or the capabilities of a server, without implying a resource action
>>    or initiating a resource retrieval.
> That sounds safe to me,

 From p2 7.1.1:

"In particular, the convention has been established that the GET and
  HEAD methods SHOULD NOT have the significance of taking an action
  other than retrieval.  These methods ought to be considered "safe".
  This allows user agents to represent other methods, such as POST, PUT
  and DELETE, in a special way, so that the user is made aware of the
  fact that a possibly unsafe action is being requested."

Which suggests to me that "safe" currently means that _only_ a retrieval 
operation takes place with safe methods.

> but I don't see anywhere where this is said 
> explicitly.

It seems to me that the definition of "safe" would then have to include 
operations which do not initiate a resource retrieval at all (eg. OPTIONS)

> The answer matters for things like redirection without user intervention 
> (assuming we keep that requirement).
> Proposal: Specify that OPTIONS is safe.

By updating 7.1.1?


- johnk

> Cheers,
> -- 
> Mark Nottingham     http://www.mnot.net/
Received on Wednesday, 3 June 2009 01:37:43 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:49 UTC