Dare Obasanjo wrote:
So let me get this straight.
Some cracker hacks a high traffic site such as
http://www.slashdot.org, borks their feed and alters
their Atom-Error header to point to some site he
doesn't like. Your argument is that it will be less
load on the site to reject ERROR requests than to
process then reject POST requests.
No, that's not my argument, but yes, it would be, if the resource accepts POSTs for other reasons.
You have no idea what POST does on a given URI. It's not a question of traffic, it's a question of whether a random POST handler results in state changes that depend on the number of times it's been hit. Since the semantics of POST are application-specific (which is fine, IMHO), the POST handler could be doing something irreversible, like sending email or firing missiles. The request in PaceServiceError is idempotent.
It doesn't need to be a high-traffic site at all.
Robert Sayre
