- From: Joshua Allen <joshuaa@microsoft.com>
- Date: Sat, 30 Mar 2002 19:01:36 -0800
- To: "Gavin Thomas Nicol" <gtn@rbii.com>, <www-tag@w3.org>
> > But everybody does this on the web all of the time! When I go to > > eBay I don't see your auctions, I see mine! > > I was talking about mapping 'functional' resources onto URI's, or > passing parameters from a form to a URI. Things like the proposal for > variable substitution in the submission URI make it easier to map > services into URI space (especially with well-defined GET-able > resources). In leiu of a framework for doing this, people have > traditionally used POST. SOAP over HTTP/XML-RPC is a logical extension > (to developers)of POST. Exactly, eBay is a great example of how 95% of the universe use POST as RPC rather than its intended RESTful purpose. There *is* a "proper" way to use POST: in my opinion that is the behavior which says that the POSTed entity creates a new URI which is subordinate to the POST target, and returns the URI of that new resource. This is really a fine architecture, and if people stuck to it we would have a much easier time in realizing the semantic web. Too bad only 5% of the people who use POST actually use it "properly" (the way I define proper), and only 5% of those people even could say why it is "proper". POST makes itself so easy to abuse, that the situation today is people who treat POST right do so accidentally rather than deliberately. So, what do we do about it? My suggestion is: 1) "Educate" people to stop abusing POST 2) Give people incentive to deploy more RESTful architectures by enhancing the value of other uses of the web (besides GET and abusive-POST, which are both just fine as RPC). In other words, make an obvious value proposition for using these protocols "properly" -- people may still choose to abuse, but with full knowledge that they are losing some great opportunities. 3) Try to gain some transparency into the cases where people are exposing functionality (instead of resources) over POST. As it currently stands, people who use CGI+POST to call COM/DCOM/EJB are no different to a firewall administrator than those who don't. It is impossible for firewall admins to have any visibility into how people are abusing POST. Furthermore, it is impossible for future advances (in caching, semantic web, etc.) to know whether a particular POST is RESTful or RPCful. So this lack of transparency makes it hard to progress. 4) Try to get vendors to encourage 1-3 in their products. And I think that #1 above is fairly weak by itself. To say that re-education alone is enough would require: A) Getting agreement (even at TAG level) that all non-resource exposure of functionality via POST is "wrong". B) Actively working to interfere with and prevent users from using POST this way. "A" is going to be very difficult, and "B" is just plain rude. And in the extremely likely event that both would fail to eliminate POST abuse, we would end up just heaping lots of punishment on users for no effect whatsoever. (*Maybe* it would be possible to get TAG to agree about "A", but it would take heaps of hubris to think that was all there is to it). -J
Received on Saturday, 30 March 2002 22:01:39 UTC