- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 29 Jul 2016 07:26:02 +0200
- To: Adrien de Croy <adrien@qbik.com>
- Cc: "Roy T. Fielding" <fielding@gbiv.com>, Alex Rousskov <rousskov@measurement-factory.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Julian Reschke <julian.reschke@gmx.de>
On Thu, Jul 28, 2016 at 09:33:40PM +0000, Adrien de Croy wrote: > > the text in the RFC is > > "A payload within a GET request message has no defined semantics;" > > I guess it comes down to interpretation as to whether you take that to mean > > a) this document defines no semantics for the body on GET request messages > b) this document prohibits any semantic meaning being applied to the body on > GET request messages > > If you take the former interpretation then we have this situation. > > If you take the latter, then I think it should be re-worded to be more > specific, since it has implications like a proxy being free to strip bodies > off GET request messages etc. "has no defined semantics" implies "according to this spec". The spec does not prohibit anything, it even suggests that some servers may reject this body, meaning "use at your own risk". As soon as you want to use that, you decide about what semantics you'll use. A proxy like yours, designed to be used between end-users and the internet and to increase security could safely strip such contents, because it will be difficult for users and servers to agree on non-documented semantics. A proxy designed to be the most transparent and interoperable possible, not focusing specifically on security and possibly being deployed as a gateway between internal components could be blamed for doing this if someone locally decides to apply some semantics to a GET body. But that's always a risk when using out-of-spec features ;-) Willy
Received on Friday, 29 July 2016 05:26:44 UTC