IETF Logo Mail Archive

Re: Feedback on draft-ietf-httpbis-safe-method-w-body-02

Julian Reschke <julian.reschke@gmx.de> Thu, 20 January 2022 08:25 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DF023A1C07 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 20 Jan 2022 00:25:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.361
X-Spam-Level:
X-Spam-Status: No, score=-3.361 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, MAILING_LIST_MULTI=-1, NICE_REPLY_A=-0.714, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QJjZAqfIhZzq for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 20 Jan 2022 00:25:30 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45F7A3A1C04 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 20 Jan 2022 00:25:29 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1nASib-0000fp-Om for ietf-http-wg-dist@listhub.w3.org; Thu, 20 Jan 2022 08:22:53 +0000
Resent-Date: Thu, 20 Jan 2022 08:22:53 +0000
Resent-Message-Id: <E1nASib-0000fp-Om@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1nASiZ-0000eT-Fa for ietf-http-wg@listhub.w3.org; Thu, 20 Jan 2022 08:22:51 +0000
Received: from mout.gmx.net ([212.227.17.21]) by titan.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <julian.reschke@gmx.de>) id 1nASiX-0008Ox-9k for ietf-http-wg@w3.org; Thu, 20 Jan 2022 08:22:51 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1642666956; bh=yf+zmxzwY+yVxJpWZllITYpofte5Yts+uTMmxq9ERPE=; h=X-UI-Sender-Class:Date:Subject:To:References:From:In-Reply-To; b=EmTfR7G7jjN9G1NEJNB9QyD18OHV9QBuarb52hqP3XJcDN2OTAl31iHd+qm58qNTS aw5xXC75TcZL4UqPtTYkHe49l3RtDWKwtzc5QYfHtnblR9EEv9RyITVtNsNLM+tqzX m/Q9VZ2sM6iLkwSuTQSag34ubGE30B+Jbz1Ng+cw=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.178.62] ([84.171.155.205]) by mail.gmx.net (mrgmx104 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N2mBQ-1mA0Aa3Ar6-0139Ac for <ietf-http-wg@w3.org>; Thu, 20 Jan 2022 09:22:36 +0100
Message-ID: <1595be96-bcf5-8443-0b74-0b1d319399a2@gmx.de>
Date: Thu, 20 Jan 2022 09:22:36 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0
To: ietf-http-wg@w3.org
References: <CO6PR06MB7556DEBED9156324B1BC8360E6509@CO6PR06MB7556.namprd06.prod.outlook.com> <CO6PR06MB75567B02A53DEDDDCFE831BCE65A9@CO6PR06MB7556.namprd06.prod.outlook.com>
From: Julian Reschke <julian.reschke@gmx.de>
In-Reply-To: <CO6PR06MB75567B02A53DEDDDCFE831BCE65A9@CO6PR06MB7556.namprd06.prod.outlook.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:NM8/u9r/tzY96zstzizFufXq35+m8njQgfB6sJvN547uIlX6Pr8 oZUPtNLuPjMJmb9YHCsKum5m+P2NVebOB4+5SSnaODUbcccLITujsP6TBCvppvsX6dkLHIC U+QmZjfEX++8IyYcdWH2xHQQ4RAEtJ/xYGSalXBokrps5rCqhsWa/YJAiID9Z0UIgtnm4UX DlE6FNLYA/BI/MeGX+jtA==
X-UI-Out-Filterresults: notjunk:1;V03:K0:2qt9UpUnTDo=:8VLSpeDJkMZBbeckD/Z5as KqqHVWf067bd6WMwJT9swzhTORUG3hagOHDJAwhXMGi5u9tbNq7Idzf7KN4ls2JeEzlRTOSE8 9l4TPZVnLKXl6pmWWf1Ekvhe2wRJ1znCJQZlOnZ3rOtqSt/+U0HyciPivq38caBboO/t3zio9 Om71FP+BAedSBmp7tpksQI53kZ7rnDSZIeMCt9GLWFYoglsB9p7UtQBJrRFVFWS2IQbPvMsEt /ReDkK2uXHlXLSksHGJQzmyD82mPguWF7eGavq1UqQ7q9Uy1jvmNgZSGWzugbuFeYfkfxOqtV UNsNiO/rNU5ZfkwSYWIH+L56Dap4bhWX+A6X+GmJAh0azZxN0itrnElqA1ox/WC0fuUtDZERW ChYZSPhIOfgSlraxltLIcmquVRXIzQqAPm5CDm/W+7Hds/9PQS+3mN536tz88qVwUx2oSvBb2 P3w7H7fhosFdT4MAwVktp2+rkrFE42P3KsPLixrZSGw8qbbi0xLC74Tj2a+hES6m1BaocegkN eIB1EacPW/ljt7s72aEiOKdQzlirDdY4c+T8cbgwmAq/8jUNfuuq62tuvYaiS1duEbM8P9xaH uty9QH/UAVrZft0HAVPiXPAlUy2v97q9udEbaB4cpSG3Wr3ERM5sgKgDUm9lyqucnybiLr5vu ZEru3KVIzF3zOqVVN/Ts4wEr/Ojscs9uPm7oYyp2FbGU35qpNiCaL/uqi7KYNnTVSh51U7oz6 nS4on04aEvz5WEiKqh+FS2xcOnZ8Wfza1F3+IJdRKx60MOFesSK9WkqmZVHOkUme86f1nXNMd VKsuhDl8Wg/7ZlRntuBwlUjI5JF3+LJ/vBEZ3dvfIRRRT7aU9Si9RgffNkiRwppsluHb9Yks9 iQgtT/emt8MmM/9E7zWBpFcN/If6Z/dCrQHlIDHMiksMZF3uy8xVfSMb0+wBvHUaZsYFd+OCF Inwxtz3YZ0Ur+h3fHwXSWTgwQt3do5to4CVbk/NiQu6O+RVA/MPC+kPz5CWs8eSLeBvJlqJKH KXOPd1UPj7IjCui26ihi/2/acEkDCOHPd8ovgWmTN9kO4yyOujAGJgsy8YqMSTSEZvtVfnY0p x0jkVZF7JR5u14=
Received-SPF: pass client-ip=212.227.17.21; envelope-from=julian.reschke@gmx.de; helo=mout.gmx.net
X-W3C-Hub-DKIM-Status: validation passed: (address=julian.reschke@gmx.de domain=gmx.net), signature is good
X-W3C-Hub-Spam-Status: No, score=-5.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_IRA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1nASiX-0008Ox-9k 210acda3c3f6f4bf1f4e32b3e9cdffa0
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Feedback on draft-ietf-httpbis-safe-method-w-body-02
Archived-At: <https://www.w3.org/mid/1595be96-bcf5-8443-0b74-0b1d319399a2@gmx.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39766
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks David!

Am 20.01.2022 um 08:17 schrieb Slik, David:
> I have some initial feedback on the draft HTTP Query Method proposal.
>
> https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/
> <https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/>
>
> After corresponding with the document authors, I have been directed to
> send my feedback to the IETF HTTP WG mailing list.
>
> Document feedback:
>
> *1. Introduction*
>
> Moving query parameters from the request URI to the request body
> improves overall security, given that the request URI is often cached,
> stored, logged and otherwise potentially disclosed by intermediary
> systems. As a result, if PII or other sensitive information is included
> in the query section of an URI, it is at a higher risk when compared to
> when it is included in the request body.
>
> A description of this advantage may be worth including.

Agreed; see <https://github.com/httpwg/http-extensions/issues/1895>.

> *2. Query*
>
> The resource that a query method targets is often a representation of a
> collection. As such, while technically correct, I would consider the
> statement, "The payload returned in response to a QUERY cannot be
> assumed to be a representation of the resource identified by the
> effective request URI." to be a little strong. Perhaps, "The payload
> returned in response to a QUERY*MAY*be a representation*other than*the
> resource identified by the effective request URI."?

Well, it will be something else most of the time. If it wasn't, we could
just use GET, no?

> The statement "If the response includes content, it is expected to
> describe the results of the operation." would be clearer if it was
> worded, "If the response includes a*response body*, it is expected to
> describe the results of the operation."

"content" is the correct term as per
<https://greenbytes.de/tech/webdav/draft-ietf-httpbis-semantics-19.html#content>.
(But we could hyperlink that).

> Regarding, "It is important to note, however, that such conditions are
> evaluated against the state of the target resource itself as opposed to
> the collected results of the search operation.", when the target
> resource is the collection, the conditions are evaluated against the
> entire collection (not just against the resulting subset, as you
> mention). This distinction may require additional elaboration.

I don't see a contradiction here. Note that "collection" is something
not defined in HTTP. If the target resource is a "collection", then yes,
the condition is by definition evaluated against the state of that
collection.

> *3. The "Accept-Query" Header Field*
>
> The sentence "The order of types listed by the Accept-Query header field
> is insignificant." should be changed to "The order of types listed by
> the Accept-Query header field is*not significant*." Insignificant
> implies that there is a difference indicated by the order, but it can be
> disregarded, where not significant indicates that there is no difference
> indicated by the order, and it shall be disregarded.

Agreed: <https://github.com/httpwg/http-extensions/issues/1896>

> *4. Examples*
>
> I would encourage including an example with a JSON query request and
> response.
>
> Here is an potential example that uses the draft IETF JSONPath query
> (https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/
> <https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/>):

I agree that more examples would be good. However, this would introduce
a dependency on a draft that is likely to be finished farer in the
future. Maybe there's a simpler-but-standardized JSON query language
that we can use (optimally with a defined media type...).

Best regards, Julian

v2.23.0 | Report a Bug | By Email