« New Sony Reader | Main | Native iPhone Apps »

Wednesday, October 17, 2007

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

yiming

Jeff Mogul, one of the authors listed on the HTTP/1.1 specification, also doesn't know for sure about a GET request with a body ( http://lists.w3.org/Archives/Public/ietf-http-wg/2006AprJun/0103.html ) So apparently the specs didn't cover this part.

He did mention a security concern, about proxy and cache servers possibly being exploited via GET with body. I searched a bit and found a whitepaper ( http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf ) on HTTP Request Smuggling that seemed to suggest this might be a problem. I'd surmise that some servers might just assume "Content-length: 0" on any GET request or drop them.

Apache certainly happily processes a GET request with body - and PHP works just fine extracting it. I think I've (ab)used this feature/bug before.

dret

hm. thanks, yiming. in my opinion this looks as if GETs with bodies are probably allowed, but they are not widely used and may be blocked or dropped by some implementations and/or may be viewed as security risks by others. that does not sound like a very attractive starting point for deploying something on the web, but on the other hand i would be interested why bodies for GET should be more problematic than for other methods (other than being more exotic).

furthermore, what would be the best RESTful way to handle the scenario i am looking at, trying to define GET for a service that has a query format that really does not map well to URI query strings. imagine an image database with similarity search, where users can search for images by querying with an image. this definitely would not work as URI query string, and still should be a GET according to REST principles.

Gabriel

Hey dret,

Have you found the answer to your questions? I have the same idea about using GET requests with a body, but I can't find a definitive answer from the RFCs.

dret

hello gabriel. i added a PPS to the post. the short answer to your question is: there is no definitive answer in the new RFCs. the revised HTTP/1.1 simply says that you should be careful, because implementations may not be prepared to handle GET requests with a message body.

The comments to this entry are closed.

Flickr