Re: Proposed HTTP SEARCH method update from Julian Reschke on 2015-05-20 (ietf-http-wg@w3.org from April to June 2015)

From: Julian Reschke <julian.reschke@gmx.de>
Date: Wed, 20 May 2015 10:09:05 +0200
To: Wenbo Zhu <wenboz@google.com>
CC: Philippe Mougin <pmougin@acm.org>, James M Snell <jasnell@gmail.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <555C4121.90606@gmx.de>

On 2015-05-20 10:04, Wenbo Zhu wrote:
>
>
> On Tue, May 19, 2015 at 11:41 PM, Julian Reschke
> <julian.reschke@greenbytes.de <mailto:julian.reschke@greenbytes.de>> wrote:
>
>     On 2015-05-20 08:37, Wenbo Zhu wrote:
>
>         ...
>              SEARCH can be safely retried, and some pieces of code
>         already know that.
>
>              Also: X-HTTP-Method-Override is a hack people used when they
>              couldn't use new methods (for some value of "new"). Why
>         does *not*
>              using this hack feel to you like doing it? /me confused.
>
>         SEARCH to me is like a POST, i.e. to make a function call against a
>         resource. This is what I was suggesting (or voting) ...
>
>
>     Well, it's not. One obvious difference is that it already is defined
>     to be safe.
>
>                  GET with a body: to ensure no server will ignore the
>         body, could we
>                  expect the client to generate a unique token in the
>         URL? Also, I
>                  think
>
>
>              a) How is this supposed to work? b) Even if it did, how is
>         mangling
>              things into the URL ever a good idea?
>
>         To address the concern that a server that does not look at the
>         GET body
>         may return an unfiltered resource based on just the URL.
>
>
>     I still don't see how this affect existing code.
>
>
> If a server chooses to return an unfiltered response to "GET /foo", then
> "GET /foo/<random-token>" will return a 404 if the client is concerned
> about the GET body being dropped along the way.

Well, that violates the principles in <https://tools.ietf.org/html/rfc7320>.

>
>         ...
>              Yes, if you rewrite all components that currently do not
>         expect GET
>              with bodies.
>
>         If we can address the safety issue, then I believe GET + body
>         complicates the Web less than introducing a new method like SEARCH
>         (whose use cases overlaps with GET in many ways), IMHO.
>
>
>     SEARCH is not a new method. The proposal is about extending it to
>     make it useful outside WebDAV.
>
> I don't know WebDAV well enough from the standardization/adoption point
> of view to comment on this. My own experience is that a new method like
> SEARCH (that aims to replace GET) would require a lot of changes.

a) it is not a new method; it has been defined years ago (as safe), some 
code is already aware of that, and it's in the IANA HTTP method registry.

b) it doesn't aim to replace GET; that would be stupid.

> ...


Best regards, Julian

Received on Wednesday, 20 May 2015 08:09:38 UTC