Hi Roy, Thanks for the clarification and links - comments inline.
On 10/15/07, Roy T. Fielding <[EMAIL PROTECTED]> wrote: > ...The original Web design notes forbid the use of GET for any action > that is considered to have "side-effects", because such an > implementation allows users to be tricked into performing > actions that they cannot anticipate... If we want to go the extra mile in Sling, we could wrap the JCR Session to make it read-only when processing GET (or HEAD) requests. That's not totally trivial as we'd have to wrap the Item, Node and Property as well, but that might help in avoiding GET abuse. > ...The > most common workaround for broken browsers (used only after an > initial request using the real method fails) is to use a POST > request (known unsafe) and include the real method in a header > field called "X-HTTP-Method-Override" or "X-Method-Override".... Dumb clients (say a mobile phone browser) often make it hard to add custom HTTP headers to form submissions. What would you recommend in this case? Using a POST which specifies the actual method as a parameter, as a second workaround in case the above one is not possible? > ...If Sling is going to claim to be a RESTful framework, it must > protect the original design goals and obey the separation of > concerns within the generic interface of HTTP. And that > applies equally to any software we build on top of Sling.... Totally agreed about Sling itself, and your vigilance is appreciated. About software that people build on top of Sling, I think the best we can do is to try to educate users in a gentle way, by providing best practices examples and utilities (like SLING-53). -Bertrand
