Toby Dickenson wrote: >> Rendering may produce side effects. But "HEAD" requests >> are required by HTTP not to have side effects. > > > RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this respect, > and both should have no side effects. > > > On Tuesday 18 Jun 2002 10:26 am, Wei He wrote: > > >>I think the last step is to change the HEAD handling >>routine to the get information from GET. Does anyone have any idea? > > > Yes, I think that makes sense. > > A while ago the list discussed changing Zope's security declarations to add a > way to specify whether a published method has significant side-effects. > > Side-effect-free methods can have HEAD and GET handled identically. > > Methods declared to have side-effects can only be accessed though a POST. I > guess GET or HEAD on such methods would result in a 405 error (Method Not > Allowed) > > (Such a change would also go a long way to reducing the scope of > client-side-trojan vulnerabilities.) > Yes, and sadly this discussion died a miserable death.
This is the point I omitted in my other reply. Dieter presumtion that GET can have sideeffect in zope, while right, shows exactly the problem with not following the RFC recommendations. I know that it is nearly impossible to follow this strictly - as far as I see it wouldn't even allow showing visitor stats on a frontpage - but zope should at least offer some infrastructure to handle this. And it absolutly should be stricter in it's management interfaces and such. To be clear, the RFC says: HEAD SHOULD NOT have sideffects. GET SHOULD NOT have sideffects. HEAD SHOULD return the same http-headers as GET. So none of the discussed changes would make zope violate the RFC, as it doesn't really require the above, it just recommends. cheers, oliver _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )