|
Posted by Christophe Chisogne on 03/07/05 18:45
Richard Lynch a écrit :
> POST versus GET is an aesthetic choice, not Security, not Performance.
Of course, I agree it's not really a 'security' choice.
But another think you can think of can be found in the HTTP/1.1 spec
(rfc 2616) in the 'Safe Methods' section [1]. To summarize:
- GET (and HEAD) should only retreive things, with no side effect
- POST (and others) means taking action (with side effects)
It's 'sould', not 'must' or 'must not'. Anyway, I think its worth
a few seconds to think about it.
Christophe
From [1] :
------------------------------------------------------------------------
9.1.1 Safe Methods
Implementors should be aware that the software represents the user in
their interactions over the Internet, and should be careful to allow
the user to be aware of any actions they might take which may have an
unexpected significance to themselves or others.
In particular, the convention has been established that the GET and
HEAD methods SHOULD NOT have the significance of taking an action
other than retrieval. These methods ought to be considered "safe".
This allows user agents to represent other methods, such as POST, PUT
and DELETE, in a special way, so that the user is made aware of the
fact that a possibly unsafe action is being requested.
Naturally, it is not possible to ensure that the server does not
generate side-effects as a result of performing a GET request; in
fact, some dynamic resources consider that a feature. The important
distinction here is that the user did not request the side-effects,
so therefore cannot be held accountable for them.
------------------------------------------------------------------------
[1] 9.1.1 Safe Methods (pg 51)
ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt
Navigation:
[Reply to this message]
|