Re: [hybi] straw-poll on GET vs OPTIONS vs new method
Julian Reschke <julian.reschke@gmx.de> Sat, 29 January 2011 09:01 UTC
Return-Path: <julian.reschke@gmx.de>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 156343A6AAA for <hybi@core3.amsl.com>; Sat, 29 Jan 2011 01:01:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.856
X-Spam-Level:
X-Spam-Status: No, score=-103.856 tagged_above=-999 required=5 tests=[AWL=-1.257, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXI73+FXnJMN for <hybi@core3.amsl.com>; Sat, 29 Jan 2011 01:01:25 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 97A6C3A6956 for <hybi@ietf.org>; Sat, 29 Jan 2011 01:01:23 -0800 (PST)
Received: (qmail invoked by alias); 29 Jan 2011 09:04:29 -0000
Received: from p508FAE55.dip.t-dialin.net (EHLO [192.168.178.33]) [80.143.174.85] by mail.gmx.net (mp008) with SMTP; 29 Jan 2011 10:04:29 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/aLKRSYEDaIDnFcG9ETTdmErRVLEWDbfap8co7to 3YZyX6Mv7Pt7s8
Message-ID: <4D43D80B.7010903@gmx.de>
Date: Sat, 29 Jan 2011 10:04:11 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
References: <4D394B51.2060105@ericsson.com> <CA566BAEAD6B3F4E8B5C5C4F61710C1126DDF08E@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <CA566BAEAD6B3F4E8B5C5C4F61710C1126DDF08E@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, "hybi@ietf.org" <hybi@ietf.org>, SM <sm+ietf@elandsys.com>
Subject: Re: [hybi] straw-poll on GET vs OPTIONS vs new method
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jan 2011 09:01:26 -0000
On 29.01.2011 08:03, Gabriel Montenegro wrote: > ... > The point that previous uses of OPTIONS can lead to confusion with previous usage was made in reference to its use in CORS (http://www.w3.org/TR/cors/). There's also WEBDAV (http://tools.ietf.org/html/rfc4918) and others. This point argues for WEBSOCKET (a brand new method with no other previous usage) over either GET or OPTIONS. > ... I don't think there's a problem with OPTIONS and WebDAV. WebDAV uses OPTIONS just the way it's designed for, and I'm not aware of any potential problems using OPTIONS in other protocol exchanges as well. If you do, you need to elaborate. OPTIONS and CORS is a slightly different story because of the stupid requirement CORS makes on OPTIONS not to require authentication. That's a design flaw in CORS. I'm not sure how it would affect usage of OPTIONS over here, though. > +1 WEBSOCKET > > Even though both GET and OPTIONS have existing usage, they are not equally safe. GET and POST (which are by far the most used) undergo much more scrutiny than other lesser-known or completely arbitrary methods. Lesser methods can be used to exploit vulnerabilities in faulty ACL checking: > http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Arbitrary_HTTP_Methods Not convinced. The linked text correctly reports that some frameworks do only ACL on certain methods, but then fallback to execute unknown methods as GET. That's a bug, indeed. Do we have evidence that Websockets is going to be deployable on frameworks like these anyway? Also, these frameworks are vulnerable already, how does Websockets change the situation? > ... > Another point against GET and OPTIONS is that both are supposed to be idempotent. This has been misconstrued as a requirement to cause no changes at the server. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-12#section-7.1.2 clarifies: > > ... It is important to > note that idempotence refers only to changes requested by the client: > a server is free to change its state due to multiple requests for the > purpose of tracking those requests, versioning of results, etc. > > Since the Upgrade effects a change on the connection, not on the resource, I don't see idempotence as an argument against GET, OPTIONS or any other idempotent method. > ... That's correct. Best regards, Julian
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Willy Tarreau
- [hybi] straw-poll on GET vs OPTIONS vs new method Salvatore Loreto
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Dave Cridland
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Salvatore Loreto
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Adam Barth
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Salvatore Loreto
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Roberto Peon
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joe Mason
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Patrick McManus
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Scott Ferguson
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Dave Cridland
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Scott Ferguson
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joel Martin
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Ian Fette (イアンフェッティ)
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Bruce Atherton
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joonas Lehtolahti
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… John Tamplin
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Dave Cridland
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… John Fallows
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Senthilkumar Peelikkampatti
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Bjoern Hoehrmann
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Bjoern Hoehrmann
- [hybi] On WEBSOCKET vs existing methods (was stra… Willy Tarreau
- Re: [hybi] On WEBSOCKET vs existing methods (was … Julian Reschke
- Re: [hybi] On WEBSOCKET vs existing methods (was … Bjoern Hoehrmann
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] On WEBSOCKET vs existing methods (was … Julian Reschke
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] On WEBSOCKET vs existing methods (was … Bjoern Hoehrmann
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joe Mason
- [hybi] Naive questions about WebSocket design Emmanuel BUU
- Re: [hybi] Naive questions about WebSocket design Adam Barth
- Re: [hybi] On WEBSOCKET vs existing methods (was … Senthilkumar Peelikkampatti
- Re: [hybi] On WEBSOCKET vs existing methods (was … Roy T. Fielding
- Re: [hybi] On WEBSOCKET vs existing methods (was … Jamie Lokier
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Jamie Lokier
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Jamie Lokier
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… John Tamplin
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Dave Cridland
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Dave Cridland
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Jamie Lokier
- Re: [hybi] On WEBSOCKET vs existing methods (was … Jamie Lokier
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Greg Wilkins
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joe Mason
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Jamie Lokier
- Re: [hybi] On WEBSOCKET vs existing methods (was … Jamie Lokier
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] On WEBSOCKET vs existing methods (was … Jamie Lokier
- Re: [hybi] On WEBSOCKET vs existing methods (was … Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Gabriel Montenegro
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Gabriel Montenegro
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Gabriel Montenegro
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Ian Fette (イアンフェッティ)
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Gabriel Montenegro
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Bjoern Hoehrmann
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Ian Fette (イアンフェッティ)
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Greg Wilkins
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Scott Ferguson
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Willy Tarreau
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joe Mason
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Scott Ferguson
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joel Martin
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Paul Colomiets
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Scott Ferguson
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- [hybi] websocket methods - both http and procedur… Pat McManus @Mozilla
- Re: [hybi] websocket methods - both http and proc… Gabriel Montenegro
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Joel Martin
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Paul Colomiets
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Bruce Atherton
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Julian Reschke
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Jamie Lokier
- Re: [hybi] straw-poll on GET vs OPTIONS vs new me… Paul Colomiets
- Re: [hybi] websocket methods - both http and proc… Greg Wilkins
- Re: [hybi] websocket methods - both http and proc… Ian Fette (イアンフェッティ)