Toby Dickenson wrote:
>>  Rendering may produce side effects. But "HEAD" requests
>>  are required by HTTP not to have side effects.
> RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this respect, 
> and both should have no side effects.
> On Tuesday 18 Jun 2002 10:26 am, Wei He wrote:
>>I think the last step is to change the HEAD handling
>>routine to the get information from GET. Does anyone have any idea?
> Yes, I think that makes sense.
> A while ago the list discussed changing Zope's security declarations to add a 
> way to specify whether a published method has significant side-effects.
> Side-effect-free methods can have HEAD and GET handled identically.
> Methods declared to have side-effects can only be accessed though a POST. I 
> guess GET or HEAD on such methods would result in a 405 error (Method Not 
> Allowed)
> (Such a change would also go a long way to reducing the scope of 
> client-side-trojan vulnerabilities.)
Yes, and sadly this discussion died a miserable death.

This is the point I omitted in my other reply. Dieter presumtion that 
GET can have sideeffect in zope, while right, shows exactly the problem 
with not following the RFC recommendations.
I know that it is nearly impossible to follow this strictly - as far as 
I see it wouldn't even allow showing visitor stats on a frontpage - but 
zope should at least offer some infrastructure to handle this. And it 
absolutly should be stricter in it's management interfaces and such.

To be clear, the RFC says:

HEAD SHOULD NOT have sideffects.
GET SHOULD NOT have sideffects.
HEAD SHOULD return the same http-headers as GET.

So none of the discussed changes would make zope violate the RFC, as it 
doesn't really require the above, it just recommends.


Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to