Re: #230: Considerations for registering new methods

On Tue, Oct 19, 2010 at 03:07:56AM -0600, Eric J. Bowman wrote:
> "Anne van Kesteren" wrote:
> > 
> > Yeah, for XMLHttpRequest we had to special case GET/HEAD to omit any  
> > passed request entity bodies. We do not want to add more methods
> > there.
> > 
> OK, I understand that.  But does this mean that the no-entity-body
> requirement for GET/HEAD is a historical mistake, or was there some
> reason for parsing these requests differently?  What I'm experimenting
> with is an IDLE method (IMAP has one) very similar to GET, so I'm
> trying to understand why I can't just copy the definition of GET as a
> starting point.  I'm convinced by the responses *not* to do that, but
> wondering what gotcha may be lurking.

IMHO, it is fine to say that the method MUST NOT include a body, but it
is still required to indicate what to do with that body if any is found.
Otherwise, you'd get the same mistake as GET/HEAD consisting in some
implementations not looking at the content-length at all and being
vulnerable to request smuggling attacks.


Received on Tuesday, 19 October 2010 09:13:01 UTC