Re: RFC7234: Can a request body form part of a "cache key"?

On Thu, Jul 28, 2016 at 09:33:40PM +0000, Adrien de Croy wrote:
> 
> the text in the RFC is
> 
> "A payload within a GET request message has no defined semantics;"
> 
> I guess it comes down to interpretation as to whether you take that to mean
> 
> a) this document defines no semantics for the body on GET request messages
> b) this document prohibits any semantic meaning being applied to the body on
> GET request messages
> 
> If you take the former interpretation then we have this situation.
> 
> If you take the latter, then I think it should be re-worded to be more
> specific, since it has implications like a proxy being free to strip bodies
> off GET request messages etc.

"has no defined semantics" implies "according to this spec". The spec
does not prohibit anything, it even suggests that some servers may
reject this body, meaning "use at your own risk". As soon as you want
to use that, you decide about what semantics you'll use.

A proxy like yours, designed to be used between end-users and the internet
and to increase security could safely strip such contents, because it will
be difficult for users and servers to agree on non-documented semantics. A
proxy designed to be the most transparent and interoperable possible, not
focusing specifically on security and possibly being deployed as a gateway
between internal components could be blamed for doing this if someone locally
decides to apply some semantics to a GET body. But that's always a risk when
using out-of-spec features ;-)

Willy

Received on Friday, 29 July 2016 05:26:44 UTC