- From: Jonas Sicking <jonas@sicking.cc>
- Date: Sun, 23 Apr 2006 04:28:17 -0700
- To: Maciej Stachowiak <mjs@apple.com>
- Cc: Mark Nottingham <mnot@yahoo-inc.com>, "Web APIs WG (public)" <public-webapi@w3.org>
Maciej Stachowiak wrote: > > > On Apr 21, 2006, at 9:33 AM, Mark Nottingham wrote: > >> >> [ from the big comment e-mail; raising as a separate issue, as >> requested ] >> >> The current draft says that: >> "If the method is POST or PUT, then the data passed to the send() >> method must be used for the entity body." >> >> This doesn't account for other request methods that may have a >> request body, e.g., PROPPATCH. Suggested text: >> >> "Any data passed to the send() method MUST be used in the entity >> body. If data is passed to send() when it is known to be incorrect >> (e.g., in GET, HEAD, and DELETE requests), implementations MUST raise >> an error." > > > Current implementations silently ignore the body in this case. It seems > like a bad idea to change this to raising an exception, since it could > break existing content that blindly sets a body. But it seems ok to > change the requirement to require ignoring the body for a specific list > of methods, instead of allowing it only for a specific list of methods, > so long as this would not allow security holes or violations of the > http spec. Agreed. Not following the HTTP spec as written now is a bad idea since it could confuse proxies and servers and thereby causing security issues. / Jonas
Received on Sunday, 23 April 2006 11:28:16 UTC