[Zope-dev] Last-modified and bobobase_modification_time
Toby Dickenson
tdickenson@geminidataloggers.com
Tue, 18 Jun 2002 11:13:45 +0100
> Rendering may produce side effects. But "HEAD" requests
> are required by HTTP not to have side effects.
RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this res=
pect,=20
and both should have no side effects.
On Tuesday 18 Jun 2002 10:26 am, Wei He wrote:
> I think the last step is to change the HEAD handling
> routine to the get information from GET. Does anyone have any idea?
Yes, I think that makes sense.
A while ago the list discussed changing Zope's security declarations to a=
dd a=20
way to specify whether a published method has significant side-effects.
Side-effect-free methods can have HEAD and GET handled identically.
Methods declared to have side-effects can only be accessed though a POST.=
I=20
guess GET or HEAD on such methods would result in a 405 error (Method Not=
=20
Allowed)
(Such a change would also go a long way to reducing the scope of=20
client-side-trojan vulnerabilities.)