IETF Logo Mail Archive

Re: [hybi] straw-poll on GET vs OPTIONS vs new method

Gabriel Montenegro <Gabriel.Montenegro@microsoft.com> Sat, 29 January 2011 07:00 UTC

Return-Path: <Gabriel.Montenegro@microsoft.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 006843A697A for <hybi@core3.amsl.com>; Fri, 28 Jan 2011 23:00:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.299
X-Spam-Level:
X-Spam-Status: No, score=-10.299 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6ZpLn+wcjrQ for <hybi@core3.amsl.com>; Fri, 28 Jan 2011 23:00:38 -0800 (PST)
Received: from smtp.microsoft.com (mail1.microsoft.com [131.107.115.212]) by core3.amsl.com (Postfix) with ESMTP id E71AC3A68D3 for <hybi@ietf.org>; Fri, 28 Jan 2011 23:00:37 -0800 (PST)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E801.partners.extranet.microsoft.com (10.251.56.50) with Microsoft SMTP Server (TLS) id 8.2.176.0; Fri, 28 Jan 2011 23:03:46 -0800
Received: from TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com (157.54.71.39) by TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.270.2; Fri, 28 Jan 2011 23:03:46 -0800
Received: from TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com ([169.254.5.102]) by TK5EX14MLTW651.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.39]) with mapi; Fri, 28 Jan 2011 23:03:46 -0800
From: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>, "hybi@ietf.org" <hybi@ietf.org>
Thread-Topic: [hybi] straw-poll on GET vs OPTIONS vs new method
Thread-Index: AQHLuUoQ3oNzz/PaKUq0SFj3SnFkQpPnkhtg
Date: Sat, 29 Jan 2011 07:03:42 +0000
Message-ID: <CA566BAEAD6B3F4E8B5C5C4F61710C1126DDF08E@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
References: <4D394B51.2060105@ericsson.com>
In-Reply-To: <4D394B51.2060105@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, SM <sm+ietf@elandsys.com>
Subject: Re: [hybi] straw-poll on GET vs OPTIONS vs new method
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jan 2011 07:00:40 -0000

Unfortunately, I can't say which I'd absolutely prefer, but I can say that OPTIONS is at the very bottom.

In other words, my preference is:

#3 (WEBSOCKET) over #2 (OPTIONS)
#1 (GET) over #2 (OPTIONS)

Here's some rationale: 

The point that previous uses of OPTIONS can lead to confusion with previous usage was made in reference to its use in CORS (http://www.w3.org/TR/cors/). There's also WEBDAV (http://tools.ietf.org/html/rfc4918) and others.  This point argues for WEBSOCKET (a brand new method with no other previous usage) over either GET or OPTIONS. 

+1 WEBSOCKET

Even though both GET and OPTIONS have existing usage, they are not equally safe. GET and POST (which are by far the most used) undergo much more scrutiny than other lesser-known or completely arbitrary methods. Lesser methods can be used to exploit vulnerabilities in faulty ACL checking:
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWASP-CM-008)#Arbitrary_HTTP_Methods

This argues for GET over either OPTIONS or WEBSOCKET.

+1 GET

The reason why the straw poll was initiated is that it was argued that OPTIONS is what RFC2817 uses.  This is true, but only partly so. RFC2817 uses *both* GET and OPTIONS.

GET is used in an "Optional Upgrade" per http://tools.ietf.org/html/rfc2817#section-3.1. This means that the GET request could be satisfied by the server either (1) without heeding the Upgrade, or (2) by first switching protocols as requested by the Upgrade, and then answering the original request, per the order specified in http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-12#section-9.8:
 	
   ... although the first action
   after changing the protocol MUST be a response to the initial HTTP
   request containing the Upgrade header field.

OPTIONS is used in a "Mandatory Upgrade" per http://tools.ietf.org/html/rfc2817#section-3.2. The Upgrade is still optional at the server, of course, but if it's not heeded, the client could abort at this time. This would make the upgrade a precondition to fetching the resource ("mandatory" in that respect).

So RFC2817 is not an argument for either method, but to the use of more than one. The WG seems to have spoken against this, and I agree, it's best to have only one and avoid more complexity.

Another point against GET and OPTIONS is that both are supposed to be idempotent. This has been misconstrued as a requirement to cause no changes at the server. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-12#section-7.1.2 clarifies:

   ...  It is important to
   note that idempotence refers only to changes requested by the client:
   a server is free to change its state due to multiple requests for the
   purpose of tracking those requests, versioning of results, etc.

Since the Upgrade effects a change on the connection, not on the resource, I don't see idempotence as an argument against GET, OPTIONS or any other idempotent method.

That's why I prefer WEBSOCKET or GET (and only one) over OPTIONS. 

Gabriel


> -----Original Message-----
> From: hybi-bounces@ietf.org [mailto:hybi-bounces@ietf.org] On Behalf Of
> Salvatore Loreto
> Sent: Friday, January 21, 2011 1:01 AM
> To: hybi@ietf.org
> Cc: Joe Hildebrand; SM
> Subject: [hybi] straw-poll on GET vs OPTIONS vs new method
> 
> 
> Hi there,
> 
> after the result of the first straw-poll on GET+Upgrade+Masking, there were a
> discussion about GET not being the only method to "Upgrade"
> the connection;
> other methods such as OPTIONS
> (http://www.ietf.org/mail-archive/web/hybi/current/msg05721.html)
> and perhaps a completely new method could be used (as proposed months ago).
> 
> All the possibilities have pro and cons.
> 
> The mail thread(s) started to discuss the alternatives, convinced Joe and myself,
> as HyBi wg co-chairs, that it make sense to run a straw-poll to get as much
> information as we can  from people about technical reason (pro and cons) for
> their preference(s).
> 
> 
> So please provide your choices (if more then one, please rank them or if only
> one specify "I can live only with") among the following
> 
> #1 - GET
> #2 - OPTIONS
> #3 - a complete new method (e.g. WEBSOCKET)
> 
> This poll will run until January 31st
> 
> cheers
> /Sal
> 
> --
> Salvatore Loreto
> www.sloreto.com
> 
> _______________________________________________
> hybi mailing list
> hybi@ietf.org
> https://www.ietf.org/mailman/listinfo/hybi

v2.23.0 | Report a Bug | By Email