Toby Dickenson wrote:
Rendering may produce side effects. But "HEAD" requests are required by HTTP not to have side effects.
RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this respect, and both should have no side effects.
On Tuesday 18 Jun 2002 10:26 am, Wei He wrote:
I think the last step is to change the HEAD handling routine to the get information from GET. Does anyone have any idea?
Yes, I think that makes sense.
A while ago the list discussed changing Zope's security declarations to add a way to specify whether a published method has significant side-effects.
Side-effect-free methods can have HEAD and GET handled identically.
Methods declared to have side-effects can only be accessed though a POST. I guess GET or HEAD on such methods would result in a 405 error (Method Not Allowed)
(Such a change would also go a long way to reducing the scope of client-side-trojan vulnerabilities.)
Yes, and sadly this discussion died a miserable death. This is the point I omitted in my other reply. Dieter presumtion that GET can have sideeffect in zope, while right, shows exactly the problem with not following the RFC recommendations. I know that it is nearly impossible to follow this strictly - as far as I see it wouldn't even allow showing visitor stats on a frontpage - but zope should at least offer some infrastructure to handle this. And it absolutly should be stricter in it's management interfaces and such. To be clear, the RFC says: HEAD SHOULD NOT have sideffects. GET SHOULD NOT have sideffects. HEAD SHOULD return the same http-headers as GET. So none of the discussed changes would make zope violate the RFC, as it doesn't really require the above, it just recommends. cheers, oliver