IETF Logo Mail Archive

Re: [hybi] straw-poll on GET vs OPTIONS vs new method

Gabriel Montenegro <Gabriel.Montenegro@microsoft.com> Wed, 02 February 2011 16:43 UTC

Return-Path: <Gabriel.Montenegro@microsoft.com>
X-Original-To: hybi@core3.amsl.com
Delivered-To: hybi@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C43353A6D88 for <hybi@core3.amsl.com>; Wed, 2 Feb 2011 08:43:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.449
X-Spam-Level:
X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOzeLIS1M27T for <hybi@core3.amsl.com>; Wed, 2 Feb 2011 08:43:07 -0800 (PST)
Received: from smtp.microsoft.com (mailb.microsoft.com [131.107.115.215]) by core3.amsl.com (Postfix) with ESMTP id E73AB3A6D7B for <hybi@ietf.org>; Wed, 2 Feb 2011 08:43:05 -0800 (PST)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 2 Feb 2011 08:46:25 -0800
Received: from TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com (157.54.71.68) by TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.1.270.2; Wed, 2 Feb 2011 08:46:25 -0800
Received: from TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com ([169.254.5.102]) by TK5EX14MLTW652.wingroup.windeploy.ntdev.microsoft.com ([157.54.71.68]) with mapi; Wed, 2 Feb 2011 08:46:26 -0800
From: Gabriel Montenegro <Gabriel.Montenegro@microsoft.com>
To: Julian Reschke <julian.reschke@gmx.de>
Thread-Topic: [hybi] straw-poll on GET vs OPTIONS vs new method
Thread-Index: AQHLuUoQ3oNzz/PaKUq0SFj3SnFkQpPnkhtggACoaYCABkJ88A==
Date: Wed, 02 Feb 2011 16:46:23 +0000
Message-ID: <CA566BAEAD6B3F4E8B5C5C4F61710C1126DEC040@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com>
References: <4D394B51.2060105@ericsson.com> <CA566BAEAD6B3F4E8B5C5C4F61710C1126DDF08E@TK5EX14MBXW605.wingroup.windeploy.ntdev.microsoft.com> <4D43D80B.7010903@gmx.de>
In-Reply-To: <4D43D80B.7010903@gmx.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Joe Hildebrand <Joe.Hildebrand@webex.com>, "hybi@ietf.org" <hybi@ietf.org>, SM <sm+ietf@elandsys.com>
Subject: Re: [hybi] straw-poll on GET vs OPTIONS vs new method
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Feb 2011 16:43:08 -0000

Hi Julian,

Sorry for the delay. You say you're "not convinced". Perhaps I can't convince you as ultimately it might be a matter of taste. I can try to explain why my distaste for OPTIONS.

The issue with OPTIONS is that it is different in nature than GET. In both cases there is processing that must deal with existing code paths and usage. However, OPTIONS is meant for querying capabilities of the server. These capabilities are ever expanding by adding modules to your server. OPTIONS processing is typically farmed out to those modules since they are the only ones authoritative about the capabilities available via that particular module. So there's significant OPTIONS processing not just at the server, but at random modules that happen to be added at that server (which may happen even in the presence of a path).  Mixing in what random modules will do as part of their processing and how that might or might not affect OPTIONS processing, and in what mix of random modules, etc,  is too much randomization into the Upgrade processing. It's also the method to use to find out if the server supports websockets, except it is being proposed also as the method to use to actually invoke them. It would be best from simplicity point of view to keep  those two roles separate. 

We've been taking into consideration the enormous variability of infrastructure and proxies in our decisions so far, I think ignoring the ever expanding processing of OPTIONS due to random modules or plug-ins at servers, and how that will interact with websockets is inconsistent with that concern.

That's why I think it is the worst of all methods being discussed.

Gabriel

> -----Original Message-----
> From: Julian Reschke [mailto:julian.reschke@gmx.de]
> Sent: Saturday, January 29, 2011 1:04 AM
> To: Gabriel Montenegro
> Cc: Salvatore Loreto; hybi@ietf.org; Joe Hildebrand; SM
> Subject: Re: [hybi] straw-poll on GET vs OPTIONS vs new method
> 
> On 29.01.2011 08:03, Gabriel Montenegro wrote:
> > ...
> > The point that previous uses of OPTIONS can lead to confusion with previous
> usage was made in reference to its use in CORS (http://www.w3.org/TR/cors/).
> There's also WEBDAV (http://tools.ietf.org/html/rfc4918) and others.  This point
> argues for WEBSOCKET (a brand new method with no other previous usage)
> over either GET or OPTIONS.
> > ...
> 
> I don't think there's a problem with OPTIONS and WebDAV. WebDAV uses
> OPTIONS just the way it's designed for, and I'm not aware of any
> potential problems using OPTIONS in other protocol exchanges as well. If
> you do, you need to elaborate.
> 
> OPTIONS and CORS is a slightly different story because of the stupid
> requirement CORS makes on OPTIONS not to require authentication. That's
> a design flaw in CORS. I'm not sure how it would affect usage of OPTIONS
> over here, though.
> 
> > +1 WEBSOCKET
> >
> > Even though both GET and OPTIONS have existing usage, they are not equally
> safe. GET and POST (which are by far the most used) undergo much more
> scrutiny than other lesser-known or completely arbitrary methods. Lesser
> methods can be used to exploit vulnerabilities in faulty ACL checking:
> >
> http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST_(OWA
> SP-CM-008)#Arbitrary_HTTP_Methods
> 
> Not convinced. The linked text correctly reports that some frameworks do
> only ACL on certain methods, but then fallback to execute unknown
> methods as GET. That's a bug, indeed. Do we have evidence that
> Websockets is going to be deployable on frameworks like these anyway?
> Also, these frameworks are vulnerable already, how does Websockets
> change the situation?
> 
>  > ...
> > Another point against GET and OPTIONS is that both are supposed to be
> idempotent. This has been misconstrued as a requirement to cause no changes
> at the server. http://tools.ietf.org/html/draft-ietf-httpbis-p2-semantics-
> 12#section-7.1.2 clarifies:
> >
> >     ...  It is important to
> >     note that idempotence refers only to changes requested by the client:
> >     a server is free to change its state due to multiple requests for the
> >     purpose of tracking those requests, versioning of results, etc.
> >
> > Since the Upgrade effects a change on the connection, not on the resource, I
> don't see idempotence as an argument against GET, OPTIONS or any other
> idempotent method.
> > ...
> 
> That's correct.
> 
> Best regards, Julian

v2.23.0 | Report a Bug | By Email