- From: Mark Nottingham <mnot@yahoo-inc.com>
- Date: Sat, 22 Apr 2006 11:23:33 -0700
- To: Mark Baker <distobj@acm.org>
- Cc: "Julian Reschke" <julian.reschke@gmx.de>, "Web APIs WG (public)" <public-webapi@w3.org>
On 2006/04/22, at 7:45 AM, Mark Baker wrote: > On 4/21/06, Mark Nottingham <mnot@yahoo-inc.com> wrote: >> >> RFC2616, section 4.3; >> >> "A message-body MUST NOT be included in a request if the >> specification of the request method (section 5.1.1) does not allow >> sending an entity-body in requests. " > > Right. > >> >> GET, HEAD and DELETE do not allow for an entity-body in requests. > > You'd think so, wouldn't you? But that's not the case; they all > permit them. It depends on how you read "does not allow"; the definitions of those methods do not explicitly allow a body, so if you're a "everything not allowed is forbidden" kind of guy (which is how the MUST NOT requirement above is written), they *don't* permit them. I do agree that HTTP isn't very clear on this matter, but I couldn't find any immediately apparent discussion in the WG. Do you have a ref? What do you think a request body on GET will mean? What developers will probably do with it -- especially if forthcoming access control mechanisms have a higher barrier for POST -- makes me shudder. > We wouldn't want to profile HTTP, would we? 8-) *tbbtttbbhbt* -- Mark Nottingham mnot@yahoo-inc.com
Received on Saturday, 22 April 2006 18:23:57 UTC