Re: REST and the Web

----- Original Message -----
From: "Joshua Allen" <joshuaa@microsoft.com>
To: "Gavin Thomas Nicol" <gtn@rbii.com>; <www-tag@w3.org>
Sent: Saturday, March 30, 2002 10:01 PM
Subject: RE: REST and the Web


> > > But everybody does this on the web all of the time! When I go to
> > > eBay I don't see your auctions, I see mine!
> >
> > I was talking about mapping 'functional' resources onto URI's, or
> > passing parameters from a form to a URI. Things like the proposal for
> > variable substitution in the submission URI make it easier to map
> > services into URI space (especially with well-defined GET-able
> > resources). In leiu of a framework for doing this, people have
> > traditionally used POST. SOAP over HTTP/XML-RPC is a logical extension
> > (to developers)of POST.
>
> Exactly, eBay is a great example of how 95% of the universe use POST as
> RPC rather than its intended RESTful purpose.
>
> There *is* a "proper" way to use POST: in my opinion that is the
> behavior which says that the POSTed entity creates a new URI which is
> subordinate to the POST target, and returns the URI of that new
> resource.  This is really a fine architecture, and if people stuck to it
> we would have a much easier time in realizing the semantic web.
>
> Too bad only 5% of the people who use POST actually use it "properly"
> (the way I define proper), and only 5% of those people even could say
> why it is "proper".  POST makes itself so easy to abuse, that the
> situation today is people who treat POST right do so accidentally rather
> than deliberately.
>
> So, what do we do about it?  My suggestion is:
>
> 1) "Educate" people to stop abusing POST
> 2) Give people incentive to deploy more RESTful architectures by
> enhancing the value of other uses of the web (besides GET and
> abusive-POST, which are both just fine as RPC).  In other words, make an
> obvious value proposition for using these protocols "properly" -- people
> may still choose to abuse, but with full knowledge that they are losing
> some great opportunities.
> 3) Try to gain some transparency into the cases where people are
> exposing functionality (instead of resources) over POST.  As it
> currently stands, people who use CGI+POST to call COM/DCOM/EJB are no
> different to a firewall administrator than those who don't.  It is
> impossible for firewall admins to have any visibility into how people
> are abusing POST.  Furthermore, it is impossible for future advances (in
> caching, semantic web, etc.) to know whether a particular POST is
> RESTful or RPCful.  So this lack of transparency makes it hard to
> progress.
> 4) Try to get vendors to encourage 1-3 in their products.
>
> And I think that #1 above is fairly weak by itself.  To say that
> re-education alone is enough would require:
>
> A) Getting agreement (even at TAG level) that all non-resource exposure
> of functionality via POST is "wrong".

Not sure what "non-resource exposure of functionality" means here
but if you mean using POST for something with no side-effects
I think that sounds reasonable.

> B) Actively working to interfere with and prevent users from using POST
> this way.

I don't know why you jump to words like "interfere" which
However,we can do things such as lobby for software to be changed to make
it easier to do the right thing.  There is also a bit security element of
the
POST/GET debate, and it we make it clear that allowing GET to do things
is a security  hole (which it is), then this may move people rapidly.

It isn't rude to stop people breaking the Web, any more
than it's rude to stop them breaking railway tracks.

It *is* a question of putting it in the terms that a developer of a web site
will understand, and giving examples, and putting it into talks at
conferences
and making fun of sites which do it wrong.

> "A" is going to be very difficult, and "B" is just plain rude.  And in
> the extremely likely event that both would fail to eliminate POST abuse,
> we would end up just heaping lots of punishment on users for no effect
> whatsoever.
>
> (*Maybe* it would be possible to get TAG to agree about "A", but it
> would take heaps of hubris to think that was all there is to it).

It isn't rude to stop people breaking the Web, any more
than it's rude to stop them breaking railway tracks.

It *is* a question of putting it in the terms that a developer of a web site
will understand, and giving examples, and putting it into talks at
conferences
and making gentle fun of sites which do it wrong.

> -J
>
>

Received on Monday, 1 April 2002 13:13:10 UTC