- From: Jonas Sicking <jonas@sicking.cc>
- Date: Fri, 14 Dec 2007 10:29:10 -0800
- To: Stewart Brodie <stewart.brodie@antplc.com>
- CC: public-webapi@w3.org
Stewart Brodie wrote: > Jonas Sicking <jonas@sicking.cc> wrote: > >> Anne van Kesteren wrote: >>> On Mon, 10 Dec 2007 15:47:37 +0100, Maciej Stachowiak <mjs@apple.com> >>> wrote: >>>> 3) The spec as written doesn't "state nothing", it appears to clearly >>>> require sending an entity body and does not allow ignoring the body or >>>> throwing an exception regardless of what is allowed per RFC. So some >>>> change is needed, one way or another. >>> Ok. How about we add a step 5 of the send() algorithm that states that >>> additional requirements in RFC 2616 are also to be taken into account. >>> That should effectively defer the issue to RFC 2616. >> Does any currently released browse include the body when doing an XHR >> GET request? If a big majority of them currently drop the body, then it >> seems like it would help interoperability if the spec explicitly stated >> that the body should be dropped. >> >> IMHO this wouldn't be going against RFC 2616 as it's the application, >> not the network layer, that drops the body. > > Under no circumstances will my code permit an entity body to be sent as part > of a request for an object that is going to be requested via GET or HEAD. > It's just asking for trouble. It also will not permit related headers to be > set (Content-Length, Transfer-Encoding et al will be dropped) Actually, once we're supporting cross site GET requests, I think we there should definitely mention that the entity body of GET (and probably HEAD) requests are dropped. Otherwise there is some risk that there are servers out there that will do dangerous things when receiving GET requests with an entity body, such as treat it as a POST. This seems like just one more argument for explicitly stating that the entity body for GET should be dropped at an XHR level. / Jonas
Received on Friday, 14 December 2007 18:31:24 UTC