- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 19 Oct 2010 11:12:06 +0200
- To: "Eric J. Bowman" <eric@bisonsystems.net>
- Cc: Anne van Kesteren <annevk@opera.com>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Tue, Oct 19, 2010 at 03:07:56AM -0600, Eric J. Bowman wrote: > "Anne van Kesteren" wrote: > > > > Yeah, for XMLHttpRequest we had to special case GET/HEAD to omit any > > passed request entity bodies. We do not want to add more methods > > there. > > > > OK, I understand that. But does this mean that the no-entity-body > requirement for GET/HEAD is a historical mistake, or was there some > reason for parsing these requests differently? What I'm experimenting > with is an IDLE method (IMAP has one) very similar to GET, so I'm > trying to understand why I can't just copy the definition of GET as a > starting point. I'm convinced by the responses *not* to do that, but > wondering what gotcha may be lurking. IMHO, it is fine to say that the method MUST NOT include a body, but it is still required to indicate what to do with that body if any is found. Otherwise, you'd get the same mistake as GET/HEAD consisting in some implementations not looking at the content-length at all and being vulnerable to request smuggling attacks. Regards, Willy
Received on Tuesday, 19 October 2010 09:13:01 UTC