[OpenAjaxSecurity] Fw: GET vs HEAD vs OPTIONS

Jon Ferraiolo jferrai at us.ibm.com
Fri Jan 4 11:20:10 PST 2008


At this point, I think I will quit posting to the WAF WG list on the
subject of GET vs HEAD. The editor, Anne, has dismissed my feedback on the
issue once again, this time with "we have discussed this issue extensively
before". (I'm not sure who the "we" is.) At this point, it would be better
if Manos, Bertrand and Kris expressed their points of view on the WAF
mailing list directly because Anne isn't giving an acceptable response to
my emails.

Jon


security-bounces at openajax.org wrote on 01/04/2008 11:05:46 AM:

> Yes, I agree with that. One thing they didn't answer yet is the
> concern of sending unnecessary potentially large chunks of data. I
> sent that question a few minutes ago. I encourage you to also post
> your remarks on the w3c list, it's super-easy.
>
> Their most convincing answer to why they want to use GET is that
> they want the policy to be enforceable using a simple file on the
> server. That makes some sense but your solution would cover that scenario
too.
>
> -----Original Message-----
> From: security-bounces at openajax.org [mailto:security-
> bounces at openajax.org] On Behalf Of Emmanouil Batsis (Manos)
> Sent: Friday, January 04, 2008 10:53 AM
> To: OpenAjax Alliance Security Task Force
> Subject: Re: [OpenAjaxSecurity] Fw: GET vs HEAD vs OPTIONS
>
> Jon Ferraiolo wrote:
> > It looks to me that the WAF WG believes HEAD should not work, only GET.
> > Discussion is happening on the WAF mailing list in parallel with this
> > discussion.
>
> Maybe I'm missing something here, but I just do not get it. Essentially
> HEAD is GET without the response body, which is exactly what is needed
> for the usecase. If that is all there is to it, I see no point in
> wasting resources by adding the response body to the HTTP traffic.
>
> Incomplete implementations should not be our concern. Even if it is,
> others should not pay for them. If the intention is to support such
> implementations, cant a fallback to GET be performed after an HTTP 501?
>
> --
> Manos Batsis, Chief Technologist
>           __    _
>    ____ _/ /_  (_)_________ ____ ______
>   / __ `/ __ \/ / ___/ ___// __ `/ ___/
> / /_/ / /_/ / (__  |__  )/ /_/ / /
> \__,_/_.___/_/____/____(_)__, /_/
>                          /____/
>
> 5, Daphnidos Street,
> 14122, Neo Iraklio,
> Athens, Greece
>
> Tel: +30 210 2851517
> Mob: +30 694 8376942
>
> http://dev.abiss.gr
>
> "BSD code is free code to be used in software. GPL code is code to be
> used in free software." Kjella (173770), Slashdot
> _______________________________________________
> security mailing list
> security at openajax.org
> http://openajax.org/mailman/listinfo/security
>
> _______________________________________________
> security mailing list
> security at openajax.org
> http://openajax.org/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://openajax.org/pipermail/security/attachments/20080104/9a0d3e66/attachment.html 


More information about the security mailing list