- From: Kendall Clark <kendall@monkeyfist.com>
- Date: Tue, 17 Jan 2006 16:16:24 -0500
- To: Mark Baker <distobj@acm.org>
- Cc: public-rdf-dawg-comments@w3.org
On Jan 17, 2006, at 11:34 AM, Mark Baker wrote: > > In the HTTP binding part of the protocol[1], the advice as to whether > or not a URI serialization for the query is suitable is given as; > > "The GET binding should be used except in cases where the URL-encoded > query exceeds practicable limits, in which case the POST binding > should be used." > > Due to the considerations in the "security" section about possible > denial-of-service attacks, combined with the assumed "do no harm" > (safety) aspect of GET, I think it's quite reasonable for a service > provider not to expose potentially expensive queries via URI+GET. > > I still like the idea of a SHOULD-level requirement for using URIs > though, so perhaps something like this could be said; > > "The GET binding SHOULD be used except in the following cases, in > which case the POST binding SHOULD be used; > > o where the URL-encoded query exceeds practicable length limits > o where the cost of processing the query may be prohibitive (see > Section 3.1, "Security")" Actually, Mark, I just realized that the editor's draft already has language to this effect: <p>The <code>queryHttpGet</code> binding <strong>should</strong> be used except in cases where the URL-encoded query exceeds practicable limits, in which case the <code>queryHttpPost</code> binding <strong>should</strong> be used.</p> Is that sufficient? (Now that I've thought about things a bit more, the 2nd point seems much more ambiguous and complex.) Cheers, Kendall -- You're part of the human race All of the stars and the outer space Part of the system again
Received on Tuesday, 17 January 2006 21:16:31 UTC