- From: Richard Gibson <notifications@github.com>
- Date: Thu, 14 Jan 2021 11:39:45 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 14 January 2021 19:39:58 UTC
httpwg/http-core#202 is something of a focal point for this conversation, and was resolved by updating the latest HTTP spec draft to include the explanation you're asking for: > A client SHOULD NOT generate a body in a GET request. A payload received in a GET request has no defined semantics, **cannot alter the meaning or target of the request**, and might lead some implementations to reject the request and close the connection because of its potential as a **request smuggling attack** (<a href="https://httpwg.org/http-core/draft-ietf-httpbis-messaging-latest.html#request.smuggling" title="Request Smuggling">Section 11.2</a> of <a href="https://httpwg.org/http-core/draft-ietf-httpbis-semantics-latest.html#Messaging" id="rfc.xref.Messaging.4"><cite title="HTTP/1.1">[Messaging]</cite></a>). It's not so much that HTTP clients are strictly forbidden from including content in a GET request, it's that HTTP servers may not use such content. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/551#issuecomment-760431326
Received on Thursday, 14 January 2021 19:39:58 UTC