--- Robert Sayre <[EMAIL PROTECTED]> wrote: > > Cross-site scripting would be a good one. > > 1.) Evil person finds naive PHP script out there on > the net. > 2.) Evil person manipulates honest clients into > POSTing to it by giving > them bogus XML. > 3.) PHP script bombarded with POSTs from random > clients. Using a new > verb makes it likely that a 405 would result. > > Also, I'd like to note that the Pace doesn't say > anything about a body > for the request. It's just a hit counter.
So let me get this straight. Some cracker hacks a high traffic site such as http://www.slashdot.org, borks their feed and alters their Atom-Error header to point to some site he doesn't like. Your argument is that it will be less load on the site to reject ERROR requests than to process then reject POST requests. That's like arguing that getting hit by a truck going 60MPH is worse than getting hit by a car going 60MPH. In the long run you still end up dead. If anything your are making a good argument against PaceServiceError as a whole not whether the HTTP method should be POST or some brand new ERROR method. ===== THINGS TO DO IF I BECOME AN EVIL OVERLORD #222 I reserve the right to execute any henchmen who appear to be a little too intelligent, powerful, or devious. However if I do so, I will not at some subsequent point shout "Why am I surrounded by these incompetent fools?!" __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com
