W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: #904: Content on GET requirement strength

From: Julian Reschke <julian.reschke@gmx.de>
Date: Fri, 16 Jul 2021 18:41:37 +0200
To: ietf-http-wg@w3.org
Message-ID: <589b450d-9408-b8a7-43df-bcd6652a0e10@gmx.de>
Am 16.07.2021 um 18:11 schrieb Carsten Bormann:
> On 2021-07-16, at 16:33, Mike Bishop <mbishop@evequefou.be> wrote:
>> prior arrangement with all parties -- and it's otherwise prohibited.
> Why is this one different from other places where the standard is making clear mandates and there is still behavior out there that violates those?
> Are we downgrading all MUSTs to SHOULDs as soon as we see deviating behavior between consenting implementations in the wild?
> ...

Adding history:

In RFC 2616, the spec had no normative requirement not to send GET
request bodies.

RFC 7230 added a statement about the payload having no defined syntax,
still no normative requirement.

The current draft, after two LCs, now says:

"A client SHOULD NOT generate content in a GET request. Content received
in a GET request has no defined semantics, cannot alter the meaning or
target of the request, and might lead some implementations to reject the
request and close the connection because of its potential as a request
smuggling attack (Section 11.2 of [Messaging])."

This discussion is about either adding more prose to the SHOULD NOT, or
further *upgrading* it to a MUST NOT.

Best regards, Julian
Received on Friday, 16 July 2021 16:41:52 UTC

This archive was generated by hypermail 2.4.0 : Friday, 16 July 2021 16:41:54 UTC