- From: HTML Issue Tracking Issue Tracker <sysbot+tracker@w3.org>
- Date: Fri, 2 Nov 2007 15:22:16 +0000 (GMT)
- To: public-html@w3.org
ISSUE-1 (PINGPOST): hyperlink auditing requires use of unsafe HTTP method http://www.w3.org/html/wg/tracker/issues/ Raised by: Julian Reschke On product: "4.12.2.1. Hyperlink auditing" states: "For URIs that are HTTP URIs, the requests must be performed using the POST method (with an empty entity body in the request)." -- http://www.w3.org/html/wg/html5/#hyperlink0 This seems to be the wrong approach, as POST is an unsafe method, about which RFC2616 (HTTP/1.1) states: "9.1.1 Safe Methods Implementors should be aware that the software represents the user in their interactions over the Internet, and should be careful to allow the user to be aware of any actions they might take which may have an unexpected significance to themselves or others. In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested. Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them." -- http://tools.ietf.org/html/rfc2616#section-9.1.1 Emphasis on: "The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them." A user who follows a link clearly does not request any side-effects, so using POST here seems to be in conflict with RCF2616. Proposal: use GET or HEAD instead.
Received on Friday, 2 November 2007 15:22:44 UTC