IETF Logo Mail Archive

Feedback on draft-ietf-httpbis-safe-method-w-body-02

"Slik, David" <David.Slik@netapp.com> Thu, 20 January 2022 07:20 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02A213A19B0 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 19 Jan 2022 23:20:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.737
X-Spam-Level:
X-Spam-Status: No, score=-2.737 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, MAILING_LIST_MULTI=-1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, T_MIME_MALF=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netapp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lMRvTDA8p-Qi for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 19 Jan 2022 23:20:44 -0800 (PST)
Received: from lyra.w3.org (lyra.w3.org [128.30.52.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D493A19AC for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 19 Jan 2022 23:20:43 -0800 (PST)
Received: from lists by lyra.w3.org with local (Exim 4.92) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1nARhC-0001Td-Sc for ietf-http-wg-dist@listhub.w3.org; Thu, 20 Jan 2022 07:17:22 +0000
Resent-Date: Thu, 20 Jan 2022 07:17:22 +0000
Resent-Message-Id: <E1nARhC-0001Td-Sc@lyra.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by lyra.w3.org with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <David.Slik@netapp.com>) id 1nARh9-0001Sd-TW for ietf-http-wg@listhub.w3.org; Thu, 20 Jan 2022 07:17:19 +0000
Received: from mail-bn8nam11on2057.outbound.protection.outlook.com ([40.107.236.57] helo=NAM11-BN8-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <David.Slik@netapp.com>) id 1nARh7-0006ts-8F for ietf-http-wg@w3.org; Thu, 20 Jan 2022 07:17:19 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J66lPOZ7XWmne7AAbi2CROukFNq76cKx4p4lFn8718uSs0ESHjKYEkAbPi/vwHmC1odfjdw+z+N3f8IoiyRj7HJxG/du2VbuiQEjxhAbL1Lr7zmSRIb6kZVLk4B/9WCfEpTsIVrc7QBTzNuQWGJu3HlS0vv57RIBBnF9sh4XXZVhXOaBwWbkAbWiUcHdetpbY3+zAv1OObG3Lm8Mkwytq5zBlQV5yOFIv/JiXbm0bACZT69SfnimFauv4EZ68HMf1fcwwU6MvHTE0Vv0uQFFghRCANqlTz3bge7o8RGGBMeu06zMifX7hmF4soHxrvzUBukcW+IuoAIwykWPQmNWcA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5Z8kUkbogecq1h09O9W0vDJGEmYZ2uR1naqaGAuy4fU=; b=nSmIHg27k/a3HtPNqwiGRB7Sqj4rbH74uW/XIpQdi+sj7VK+DNsDOtW9SFETzpddwg6irSgg771h2d4SnPFsmk1R0uKTegzmyKjU1Q+G1FFZZ1/zLz+hdiaOrSDW4rrw8AYuNCbGigKO9TeCE9DYWD5tKz0wAA26XlqfDZYmES/t99u1Qg7Ia5+F6jIIf53ypQNGBk8pGejZfRUxMDWpqN63/8+aFa9QxI3sMOOsiqvQkMlNlHJiRfhG7oyYniHaUxIgxhhxwrCGZ/PZmxQwFOMbw71AEuO0Qdii6wK+KG1v3N6i5zMi9vn/0V+CwFYNa+Nf633op1OcHjvXC/DsHA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netapp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5Z8kUkbogecq1h09O9W0vDJGEmYZ2uR1naqaGAuy4fU=; b=dpnacgqslaMQYEhAaNYtBnCvSzRTlMxV6XN6auARqh6bM+JsrdliEZRwO5uB/ZwLXM+yjdf+omOlAHq4hFqG0wRKBw0mg2+u3hZtIRtQo26OkXDpaWdbFSL9XRc4SeXj4ULB5TzVhi2oSMKb6NvHNTjzVyCLfyWhx0/PiHSYP6u0iXlZ9wFzJW1+ISAz+hJ4yp4UqdD55lg4PO6dSb5EIRpxQiSd8TqZG8eWLYS/BX/hWvDvrafRY3HrQrGlIqnGh2Wt6t8NmeXMDY8htaIWMqGBjNe1112oZAVCau9JxljZKJIzHdbXvjvSd8ySo9VO05ZGpzhlVbdDNepZrVsY1A==
Received: from CO6PR06MB7556.namprd06.prod.outlook.com (2603:10b6:303:a0::22) by MWHPR06MB2383.namprd06.prod.outlook.com (2603:10b6:300:65::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4888.12; Thu, 20 Jan 2022 07:17:02 +0000
Received: from CO6PR06MB7556.namprd06.prod.outlook.com ([fe80::c0c4:5ff6:9685:428a]) by CO6PR06MB7556.namprd06.prod.outlook.com ([fe80::c0c4:5ff6:9685:428a%6]) with mapi id 15.20.4909.008; Thu, 20 Jan 2022 07:17:02 +0000
From: "Slik, David" <David.Slik@netapp.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Feedback on draft-ietf-httpbis-safe-method-w-body-02
Thread-Index: AQHYBk6GIpuVXnrqSUSoZKmRJMCwPaxrjpWm
Date: Thu, 20 Jan 2022 07:17:02 +0000
Message-ID: <CO6PR06MB75567B02A53DEDDDCFE831BCE65A9@CO6PR06MB7556.namprd06.prod.outlook.com>
References: <CO6PR06MB7556DEBED9156324B1BC8360E6509@CO6PR06MB7556.namprd06.prod.outlook.com>
In-Reply-To: <CO6PR06MB7556DEBED9156324B1BC8360E6509@CO6PR06MB7556.namprd06.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=netapp.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3aadf7da-6dc5-4702-753e-08d9dbe4db64
x-ms-traffictypediagnostic: MWHPR06MB2383:EE_
x-microsoft-antispam-prvs: <MWHPR06MB2383F9268C00842B05D6FB6EE65A9@MWHPR06MB2383.namprd06.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: cle10pVxj64LqXytDJhdZSrBvv3bCPIcpEKdGhBpcpfag+CcrRjC/BS6GpXTDWPZ0g0b54ixSr9GBb25TadJ3vsqMPT60NXSBigQO/0TrIEQWR1/Mw5Ky6S1GtG6Li7/q4hWsAVwmqOcKnMbGDqUA5wGwcXqGjgs6rDCHxhpErNXCK8iJx8Hn58Vb6oTJZ1Zs48YPAnfp7bRukiNma9yVt7uJzHbPPhPybdSumwrvBQ15oedMeUYZ+bHuqCz7Y0YHQJKAyKJt3rlpv98EihZX9AL3UsAGeubkyPCCEAnABqtJ5hHx0iu6rJT3os8q1SdMzLF/A7rv4tEPMinP6Lb6Gwk1UNBH6VH+4zXylUmwP0M171UrtHfYp7ZdW3v7dMJqAbzUrSZ2gb0NeEPney/hCrM5dT4ynY9XD0z7tQJsT5AYRtjCyEaHnhYMZm3gseHUq0R0a2CTxQAb+StSU4V8jgsJSQOwugWIv/xwq5JSVwDOK5IRMI/mVdgOnQ3cWAimuNhw9yWeVD4eR2grXE+ePHO629JyX2GjQAmOzKgO35b2khEf4tvYl06ZN4nOS5lC6dTPMfvT30aejpAsNMmu57+/4GSWCdEv5wOAo1L6fGjw78E1bWaKsuLlCKBbI6Ru5qdd0mHo10Qmb/AT5I4RRWeFI89q3cz+vvUHw2a57eNB+OY0Q/MgaUDGTaCdNfBxQhFi7vKMM/B8NBYyHTOqyKi/CUyGdXRTwdI5/YTD5awR3nLYD+sPp82lPlZD6iLaamRQm5rUsFFrvcZu8ClF6y8bTimEFR9r0R52fGAZ0E=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CO6PR06MB7556.namprd06.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(366004)(83380400001)(966005)(122000001)(38070700005)(33656002)(8936002)(9686003)(64756008)(76116006)(316002)(186003)(52536014)(66446008)(66946007)(66476007)(5660300002)(71200400001)(166002)(38100700002)(86362001)(26005)(19627405001)(7696005)(6506007)(6916009)(508600001)(55016003)(2906002)(66556008)(8676002);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: hgyZ0rJUCjbvNsDyT3JvZ1H/eJp6lVIk8IWxUwJ3Ag5NpuGy6Fm9flb15B7qaNqcUJXeQWUmGykTqab35KBaL2Qq4Hx1zD1CyvZ8Wp70YW0+ygJW2qNEueA3s9WnsRIr1Le1IJs5Z9pmzlOrw+8iOJ5n4OpffRV9fI5+L2+0lCF1qiowg9kucQaI0pjlruBK+GNUJA7Evp89YmKQ9AxtnOg5SGVt+NBTYkE843nMYsNnlk77oonET8TLG7ImP3FhHHjlkTy/d/pH6/Dc0H9x06UZ6lCIS2kOVU2oaQzP7cQXoBiHahqXrNGRODrxoBC0sYhEl9rlMA1U5zb0/P2mXdYzrDZDbMgy+j7ikjZmwMXfUc1KSha4JpJt9leH51EwKIsUxIFHso5gg735wOLqR4q5Ht8tuDMOm9fOsHZIN6mHuZeOOSzRDTUz37XpW14iLsCY7+7UDOQBpGOijiKh4fzT7vJf+AygpQ6jQOk4NB0l1MY3Z4au+sSzLz1AZbXM+H6XmgjDAz4KPu5YGPPbRXcW8ygz/Y4GHHG2k1AiGOiagXj3GIYg15YGPRnjmPw1DzKlgcYf9BU5xt/7TbnBCa2Ff/hxLvB0jfxVdRJF+Y9vvzVYmmXOvgsRjd2C9qMff84tmRVGROoKNEkT8e8/36JQT58QFmb6bCK82T+oCK4X+wGxTwRcC36XNAkDnSLmjCHRjODBgbnBbt3KeukSXzF7j5G3bEVaqvvcsmxo7HrTb+cz/3Wp32eXqmWv69NSTrxmX1+5zteoIcB2UsmWqlxpi6ObrtrZIf+7jLjkNIzuTlQQlugNsf+oyuJfueRy+MV7L7YjnVlAcvHjYYLQ8O6acCCyrJQqWHiP7cP3qmQy3lY+bbUEbi2h5BQMQ3Z1Arn+m5hODFObcjYZBbA/YLj2HoVJzmJEJd5w9eYmn/NfQSiWNKbeyzvk53OZ/hhkQvHEONMEApSb9w0kyJj8kWhxXmA/28QClBl9BiHeYpUbBUBNhXUyqHmYYPgRjQu/YcGob7MovkRiuu2kKITvi4Pi5AeRd/YAIAr9yEqt20rCMhXCXu7SWcMbq01s2isN2gWC+1rH98qWwR88wr0qtqZ5r4WZsS9FDtWBUKTwEqKFusx5j7jjxb7EgG1V8aMw/3hRQIVUz3TbuyzQO7gvsfgXzUnX1FJolnGgrlkV29OrPNVDDUEzKjWA7o+eK/fQ9kAdzbOf1yxL7cqNDUXqGwUAbiCXHfF7gXakrGivQ26z9iP3SQ4yPUVkYc1vVyhzqvHaN6zlO63uitouuqPW7QtVX1bB3i+TJ+w6+kKpiGJrVRubm4iVn82cg8aNmVkDmZ+ElUWOXtfAxp//G8aS86Z6zV7qmkXI58FXsbmXKMoect0qC0rJRu+WLq/hTsgv3p55uWsSDf2M+VQBYZfhu6QwxVGKhf2frcwKK6nFBmMsgV9t9SNb2IRF0CE7ObvWKSrh51uhtVY2GcfkshUZHKQfokmlDqFObaI01GKwYEGizIUuBG/F0Ov3wzzUb9UZgZIsFo2Is9hw7DnKGJJRPYWR0y5rlCtdbLt4uPuMC3L8A+Rl29E5qhcb5Ucv9xi7gojhaK+aZKph11SlDO269MdjmZV2xmMZxWIX12bnjCU=
Content-Type: multipart/alternative; boundary="_000_CO6PR06MB75567B02A53DEDDDCFE831BCE65A9CO6PR06MB7556namp_"
MIME-Version: 1.0
X-OriginatorOrg: netapp.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO6PR06MB7556.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3aadf7da-6dc5-4702-753e-08d9dbe4db64
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jan 2022 07:17:02.8675 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4b0911a0-929b-4715-944b-c03745165b3a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Gyg9u2zb10qD/rT+A+gbDpKP5boUAhmCgfE5WnYlUbqrDLzbcKcVRVX8Qbn8iiL+erczdO6yZNq6btKyikaqpw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR06MB2383
Received-SPF: pass client-ip=40.107.236.57; envelope-from=David.Slik@netapp.com; helo=NAM11-BN8-obe.outbound.protection.outlook.com
X-W3C-Hub-DKIM-Status: validation passed: (address=David.Slik@netapp.com domain=netapp.com), signature is good
X-W3C-Hub-Spam-Status: No, score=-1.1
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_MIME_MALF=0.01, W3C_NW=1
X-W3C-Scan-Sig: titan.w3.org 1nARh7-0006ts-8F 6af411660d1415b1073e8af1b51e23e0
X-Original-To: ietf-http-wg@w3.org
Subject: Feedback on draft-ietf-httpbis-safe-method-w-body-02
Archived-At: <https://www.w3.org/mid/CO6PR06MB75567B02A53DEDDDCFE831BCE65A9@CO6PR06MB7556.namprd06.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/39765
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I have some initial feedback on the draft HTTP Query Method proposal.

https://datatracker.ietf.org/doc/draft-ietf-httpbis-safe-method-w-body/

After corresponding with the document authors, I have been directed to send my feedback to the IETF HTTP WG mailing list.

Document feedback:

1. Introduction

Moving query parameters from the request URI to the request body improves overall security, given that the request URI is often cached, stored, logged and otherwise potentially disclosed by intermediary systems. As a result, if PII or other sensitive information is included in the query section of an URI, it is at a higher risk when compared to when it is included in the request body.

A description of this advantage may be worth including.

2. Query

The resource that a query method targets is often a representation of a collection. As such, while technically correct, I would consider the statement, "The payload returned in response to a QUERY cannot be assumed to be a representation of the resource identified by the effective request URI." to be a little strong. Perhaps, "The payload returned in response to a QUERY MAY be a representation other than the resource identified by the effective request URI."?

The statement "If the response includes content, it is expected to describe the results of the operation." would be clearer if it was worded, "If the response includes a response body, it is expected to describe the results of the operation."

Regarding, "It is important to note, however, that such conditions are evaluated against the state of the target resource itself as opposed to the collected results of the search operation.", when the target resource is the collection, the conditions are evaluated against the entire collection (not just against the resulting subset, as you mention). This distinction may require additional elaboration.

3. The "Accept-Query" Header Field

The sentence "The order of types listed by the Accept-Query header field is insignificant." should be changed to "The order of types listed by the Accept-Query header field is not significant." Insignificant implies that there is a difference indicated by the order, but it can be disregarded, where not significant indicates that there is no difference indicated by the order, and it shall be disregarded.

4. Examples

I would encourage including an example with a JSON query request and response.

Here is an potential example that uses the draft IETF JSONPath query (https://datatracker.ietf.org/doc/draft-ietf-jsonpath-base/):


​4.3 Simple QUERY with JSON response

A GET for a JSON resource:

GET /books HTTP/1.1
Host: example.org
Accept: application/json

Response:

HTTP/1.1 200 OK
Content-Type: application/json

{ "store": {
       "book": [
         { "category": "reference",
           "author": "Nigel Rees",
           "title": "Sayings of the Century",
           "price": 8.95
         },
         { "category": "fiction",
           "author": "Evelyn Waugh",
           "title": "Sword of Honour",
           "price": 12.99
         },
         { "category": "fiction",
           "author": "Herman Melville",
           "title": "Moby Dick",
           "isbn": "0-553-21311-3",
           "price": 8.99
         },
         { "category": "fiction",
           "author": "J. R. R. Tolkien",
           "title": "The Lord of the Rings",
           "isbn": "0-395-19395-8",
           "price": 22.99
         }
       ],
       "bicycle": {
         "color": "red",
         "price": 19.95
       }
     }
   }

A simple query with a JSON response body:

QUERY /books HTTP/1.1
Host: example.org
Content-Type: example/jsonpath
Accept: application/json

$..book[?(@.price<10)].title

Response:

HTTP/1.1 200 OK
Content-Type: application/json

[
   "Sayings of the Century",
   "Moby Dick"
]



Thanks,

David Slik
Technical Director, Astra Platform
NetApp, Inc.

v2.23.0 | Report a Bug | By Email