[Zope-dev] Last-modified and bobobase_modification_time
Oliver Bleutgen
myzope@gmx.net
Tue, 18 Jun 2002 13:04:55 +0200
Toby Dickenson wrote:
>> Rendering may produce side effects. But "HEAD" requests
>> are required by HTTP not to have side effects.
>
>
> RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this respect,
> and both should have no side effects.
>
>
> On Tuesday 18 Jun 2002 10:26 am, Wei He wrote:
>
>
>>I think the last step is to change the HEAD handling
>>routine to the get information from GET. Does anyone have any idea?
>
>
> Yes, I think that makes sense.
>
> A while ago the list discussed changing Zope's security declarations to add a
> way to specify whether a published method has significant side-effects.
>
> Side-effect-free methods can have HEAD and GET handled identically.
>
> Methods declared to have side-effects can only be accessed though a POST. I
> guess GET or HEAD on such methods would result in a 405 error (Method Not
> Allowed)
>
> (Such a change would also go a long way to reducing the scope of
> client-side-trojan vulnerabilities.)
>
Yes, and sadly this discussion died a miserable death.
This is the point I omitted in my other reply. Dieter presumtion that
GET can have sideeffect in zope, while right, shows exactly the problem
with not following the RFC recommendations.
I know that it is nearly impossible to follow this strictly - as far as
I see it wouldn't even allow showing visitor stats on a frontpage - but
zope should at least offer some infrastructure to handle this. And it
absolutly should be stricter in it's management interfaces and such.
To be clear, the RFC says:
HEAD SHOULD NOT have sideffects.
GET SHOULD NOT have sideffects.
HEAD SHOULD return the same http-headers as GET.
So none of the discussed changes would make zope violate the RFC, as it
doesn't really require the above, it just recommends.
cheers,
oliver