- From: Tim Ellison/OTT/OTI <Tim_Ellison@oti.com>
- Date: Thu, 6 Jul 2000 12:28:50 -0400
- To: w3c-dist-auth@w3.org
The server should be free to refuse depth requests (>1<g>) that it decides are too expensive. Of course, that does not preclude the spec from allowing the header value to be 0 .. n or infinity, but it does further complicate the client that has to deal with refusals and 'do the work'. If maintaining a simple client is required, I would vote for dropping depth infinity (and keeping only 0 and 1). Tim Greg Stein <gstein@lyra.org> Sent by: w3c-dist-auth-request@w3.org 06-07-00 10:15 AM To: w3c-dist-auth@w3.org cc: Subject: [hwarncke@Adobe.COM: Re: [dav-dev] Depth Infinity Requests] What is the general consensus on PROPFIND with Depth: infinity? I quoted a couple messages below that tend to favor disallowing them. I got that impression from some other comments on this list, but couldn't find specific references. For clarity: can prople give opinions on simply disabling PROPFIND infinity? JimW: we should probably note (explicitly) in the spec that a server may return a 403 (Forbidden) if a client requests a PROPFIND with a Depth of infinity. [ I believe everybody is probably okay with returning a 403 (Forbidden) in certain cases. My question is more along the lines of outright shutting it off before beginning to walk the repository to see what is up. ] Cheers, -g ----- Forwarded message from Hartmut Warncke <hwarncke@Adobe.COM> ----- Date: Wed, 05 Jul 2000 13:55:39 +0200 From: Hartmut Warncke <hwarncke@Adobe.COM> Reply-To: Hartmut.Warncke@Adobe.COM To: Greg Stein <gstein@lyra.org> CC: Mod_dav Mailing List <dav-dev@lyra.org> Subject: Re: [dav-dev] Depth Infinity Requests > I am having a hard time locating the specific discussions (I believe there > have been a couple) in the archives regarding PROPFIND infinity requests. I > have found two references so far: > > http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0062.html > http://lists.w3.org/Archives/Public/w3c-dist-auth/1999AprJun/0071.html > > Take a look at the end of each of these notes. > At the end of the second note I found a statement of Jim Whitehead: "As a result, a conservative client should never perform a PROPFIND, depth infinity unless it knows the namespace it is issuing the PROPFIND against, and a server should be free to refuse to process a PROPFIND, depth infinity if it would result in too large a response (since this could easily be used to implement a denial of service attack). Both of these approaches are allowed by the specification." I do not understand the last sentence because I did not find anything about that issue in RFC 2518 (Did I miss something?). I think the information that a server can refuse a depth infinity request is a very important information which should be included in RFC2518?! Hartmut ----- End forwarded message ----- -- Greg Stein, http://www.lyra.org/
Received on Thursday, 6 July 2000 12:32:37 UTC