Re: [whatwg/fetch] non-null body with GET/HEAD requests (Issue #1705) from Mark Nottingham on 2023-09-27 (public-webapps-github@w3.org from September 2023)

From: Mark Nottingham <notifications@github.com>
Date: Wed, 27 Sep 2023 00:28:51 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1705/1736852680@github.com>

Indeed. RFC9110 is [very clear about this](https://httpwg.org/specs/rfc9110.html#GET):

> Although request message framing is independent of the method used, content received in a GET request has no generally defined semantics, cannot alter the meaning or target of the request, and might lead some implementations to reject the request and close the connection because of its potential as a request smuggling attack ([Section 11.2](https://httpwg.org/specs/rfc9112.html#request.smuggling) of [[HTTP/1.1]](https://httpwg.org/specs/rfc9110.html#HTTP11)). A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported. An origin server SHOULD NOT rely on private agreements to receive content, since participants in HTTP communication are often unaware of intermediaries along the request chain.

Previous HTTP specifications said that bodies were allowed on all methods, but that was _only_ to allow new methods to be introduced without coordinating with every intermediary on the Web. It was not intended to retrofit bodies onto GET, and RFC7231 clarified that; when the message didn't get through, we (i.e., a consensus of HTTP implementers) made it more explicit in 9110.

Yes, we're well aware that some applications (e.g., Elasticsearch) do use bodies on GET. That is not interoperable on the open web; it only works in closed systems that, effectively, are not HTTP. While some might think that their deployment qualifies as such, it's rarely the case, because most people do not control every possible HTTP system and component that the messages might ever be handled by (eg load balancers, virus scanners, WAFs). Doing so also reduces the choice of tools and implementations that can be used in that deployment, reducing the value of using HTTP.

The HTTP WG is working on [a better way to do this](https://httpwg.org/http-extensions/draft-ietf-httpbis-safe-method-w-body.html). That's not done yet, but in the meantime, POST is viable. I'm happy to help talk folks through the issues here if it will help.

--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1705#issuecomment-1736852680
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1705/1736852680@github.com>

Received on Wednesday, 27 September 2023 07:28:56 UTC