IETF Logo Mail Archive

Re: [hybi] straw-poll on GET vs OPTIONS vs new method

Julian Reschke <julian.reschke@gmx.de> Sat, 29 January 2011 09:01 UTC

Return-Path: <julian.reschke@gmx.de>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 156343A6AAA for <hybi@core3.amsl.com>; Sat, 29 Jan 2011 01:01:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.856
X-Spam-Level:
X-Spam-Status: No, score=-103.856 tagged_above=-999 required=5 tests=[AWL=-1.257, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uXI73+FXnJMN for <hybi@core3.amsl.com>; Sat, 29 Jan 2011 01:01:25 -0800 (PST)
Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.22]) by core3.amsl.com (Postfix) with SMTP id 97A6C3A6956 for <hybi@ietf.org>; Sat, 29 Jan 2011 01:01:23 -0800 (PST)
Received: (qmail invoked by alias); 29 Jan 2011 09:04:29 -0000
Received: from p508FAE55.dip.t-dialin.net (EHLO [192.168.178.33]) [80.143.174.85] by mail.gmx.net (mp008) with SMTP; 29 Jan 2011 10:04:29 +0100
X-Authenticated: #1915285
X-Provags-ID: V01U2FsdGVkX1/aLKRSYEDaIDnFcG9ETTdmErRVLEWDbfap8co7to 3YZyX6Mv7Pt7s8
Message-ID: <4D43D80B.7010903@gmx.de>
Date: Sat, 29 Jan 2011 10:04:11 +0100
From: Julian Reschke <julian.reschke@gmx.de>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
References: <4D394B51.2060105@ericsson.com> <CA566BAEAD6B3F4E8B5C5C4F61710C1126DDF08E@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <CA566BAEAD6B3F4E8B5C5C4F61710C1126DDF08E@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, "hybi@ietf.org" <hybi@ietf.org>, SM <sm+ietf@elandsys.com>
Subject: Re: [hybi] straw-poll on GET vs OPTIONS vs new method
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jan 2011 09:01:26 -0000

On 29.01.2011 08:03, Gabriel Montenegro wrote:
> ...
> The point that previous uses of OPTIONS can lead to confusion with previous usage was made in reference to its use in CORS (http://www.w3.org/TR/cors/). There's also WEBDAV (http://tools.ietf.org/html/rfc4918) and others.  This point argues for WEBSOCKET (a brand new method with no other previous usage) over either GET or OPTIONS.
> ...

I don't think there's a problem with OPTIONS and WebDAV. WebDAV uses 
OPTIONS just the way it's designed for, and I'm not aware of any 
potential problems using OPTIONS in other protocol exchanges as well. If 
you do, you need to elaborate.

OPTIONS and CORS is a slightly different story because of the stupid 
requirement CORS makes on OPTIONS not to require authentication. That's 
a design flaw in CORS. I'm not sure how it would affect usage of OPTIONS 
over here, though.

> +1 WEBSOCKET
>
> Even though both GET and OPTIONS have existing usage, they are not equally safe. GET and POST (which are by far the most used) undergo much more scrutiny than other lesser-known or completely arbitrary methods. Lesser methods can be used to exploit vulnerabilities in faulty ACL checking:
> http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Arbitrary_HTTP_Methods

Not convinced. The linked text correctly reports that some frameworks do 
only ACL on certain methods, but then fallback to execute unknown 
methods as GET. That's a bug, indeed. Do we have evidence that 
Websockets is going to be deployable on frameworks like these anyway? 
Also, these frameworks are vulnerable already, how does Websockets 
change the situation?

 > ...
> Another point against GET and OPTIONS is that both are supposed to be idempotent. This has been misconstrued as a requirement to cause no changes at the server. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-12#section-7.1.2 clarifies:
>
>     ...  It is important to
>     note that idempotence refers only to changes requested by the client:
>     a server is free to change its state due to multiple requests for the
>     purpose of tracking those requests, versioning of results, etc.
>
> Since the Upgrade effects a change on the connection, not on the resource, I don't see idempotence as an argument against GET, OPTIONS or any other idempotent method.
> ...

That's correct.

Best regards, Julian

v2.23.0 | Report a Bug | By Email