Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)

[Greg Stein <gstein@xxxxxxxxxx>]

On Wed, Jun 23, 2004 at 03:55:18PM -0400, Robert Sayre wrote:
>...
> I'm not enthusiastic about defining a distributed, XML parser-triggered 
> proxy mechanism for POSTing to an arbitrary URI. GET or ERROR don't have 
> this problem.

Yikes. I hadn't even considered that problem. I don't like the ErrorURI
concept at all, but this points to a bigger requirement: the URI better
point to the same hostname as the feed which has a problem. Otherwise, you
can get people to starting yapping at arbitrary servers. I wouldn't go so
far as to call it a DDoS, but there is certainly the possibility of a mild
onslaught of requests to any arbitrary URI.

Then you have issues about cookies being carried with those requests, and
the possibility for cross-site-scripting attacks, and ...

Bleck. I'll let the ErrorURI supporters figure a way out of that. I'll
stick with supporting the ERROR method proposal :-)

> >I think the fear of abuse on the error-URIs is exaggerated, and that 
> >the  problem isn't any bigger for them than for other URIs or services.

Well, not quite sure. With a "bad" response, you can force a client to
make a request to any arbitrary URI. While it is true that the resource at
the ErrorURI can be spam'd with or without the ErrorURI proposal, I think
the fact that the server can *control* the client's request behavior (and
it happens "under the covers", unlike a standard HTTP redirect) is a big
issue.

> The burden of proof is on you, not me.

Play nice, now :-)

Cheers,
-g