Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

nothing on the spec prevents arbitrary data on body of a GET. but clients and proxies are implemented by lazy people who make excuses they are preserving some legacy security feature or something and continue to ignore the spec.


The spec is actually pretty clear on this - do not specify a body on a GET request.

> A payload within a GET request message has no defined semantics; sending a payload body on a GET request might cause some existing implementations to reject the request.

Previously it was "SHOULD ignore the payload".

It's nothing to do with laziness or security - people are writing spec conforming software. And indeed every library I've used allows interacting with a body, even on a GET.


> The spec is actually pretty clear on this - do not specify a body on a GET request.

That's not what your quote says.

Not having a defined semantics does not mean if is not supported. Just because some implementations fail to support GET with a request body that it does not mean all implementations should interpret it as a malformed request.

I can roll out a service with endpoints that require GET with request bodies and it would still be valid HTTP.


> That's not what your quote says.

Yes it does. "No defined semantics" = "out of spec".

> I can roll out a service with endpoints that require GET with request bodies and it would still be valid HTTP.

You're out of the HTTP spec entirely.


How are you interpreting that English?

Not defined means, it could be anything. If accepting body in GET is out of spec, then spec is supposed to say, GET cannot send body.


"out of spec" means that it is out of specification. It is literally not specified. You are doing something that is not specified. It is therefore an action that is out of specification. it is therefore out of spec.

If there was an utter ban, then it would be against specification and not compliant, not merely out of specification.


> "out of spec" means that it is out of specification. It is literally not specified.

That's not what it means at all. Being out of spec means the spec explicitly stating that a request with a body should be reject. If the spec does not state that a request with a body should be rejected then you are not required to reject a request which packs a body.


> Not defined means, it could be anything.

No, not defined means it's not within the purview of the spec. Spec doesn't care. You can send one. Maybe it'll work, maybe it won't, maybe it'll crash, maybe it'll be rejected, maybe some proxy along the way will strip it and the server won't even get it, maybe it'll get your client banned forever.

All of these are fine, because spec doesn't care.

> If accepting body in GET is out of spec, then spec is supposed to say, GET cannot send body.

No, then it would be against spec, like HEAD with a response body.


You can do whatever the fuck you want, the spec defines what it defines.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: