RE: draft findings on Unsafe Methods (whenToUseGet-7)

I'm going to leave out the discussion of SOAP, since it
isn't directly related to the subject line (when to use Get)

> File upload is not a safe operation.

Whether file upload is safe depends on the application.
Why isn't safe?

>  In general, most applications
> that involve user-supplied data being supplied to the server are not
> safe.

Often not, but sometimes yes.

>  The only exception is when the information is in the form of
> generalized query parameters, for which there is a trade-off between
> GET and POST that usually involves the size of the parameter content.

There are other exceptions; for example, where the parameter content
contains non-ASCII strings; also, XForms presumes an XML content model
that isn't nicely encoded in URL parameters.

> GET is only desirable for those cases where the parameters can be
> expressed as a meaningful URI.

Even then, there are other preconditions.

> The Safe header field was not
> implemented because it is utterly pointless to know whether or
> not a message is safe *after* it has been invoked.

No, it isn't 'utterly pointless'. One of the primary use cases for
knowing about whether a method was 'safe' was to decide whether it
was OK to re-do the method without warning the user, as is now done
with POST. A Safe POST could be redone (click Reload) without prompting,
and knowing after the fact was as useful as knowing before.

Received on Wednesday, 17 April 2002 01:11:17 UTC