>   Rendering may produce side effects. But "HEAD" requests
>   are required by HTTP not to have side effects.

RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this respect, 
and both should have no side effects.


On Tuesday 18 Jun 2002 10:26 am, Wei He wrote:

> I think the last step is to change the HEAD handling
> routine to the get information from GET. Does anyone have any idea?

Yes, I think that makes sense.

A while ago the list discussed changing Zope's security declarations to add a 
way to specify whether a published method has significant side-effects.

Side-effect-free methods can have HEAD and GET handled identically.

Methods declared to have side-effects can only be accessed though a POST. I 
guess GET or HEAD on such methods would result in a 405 error (Method Not 
Allowed)

(Such a change would also go a long way to reducing the scope of 
client-side-trojan vulnerabilities.)


_______________________________________________
Zope-Dev maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope-dev
**  No cross posts or HTML encoding!  **
(Related lists -
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope )

Reply via email to