[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)

To: Greg Stein <gstein@xxxxxxxxxx>
Subject: Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
From: Robert Sayre <mint@xxxxxxxxxxxxxxx>
Date: Wed, 23 Jun 2004 17:53:40 -0400
Cc: atom-syntax@xxxxxxx
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
References: <> <> <> <> <> <> <> <> <> <> <>
Reply-to: mint@xxxxxxxxxxxxxxx
Sender: owner-atom-syntax@xxxxxxxxxxxx
User-agent: Mozilla Thunderbird 0.6 (Windows/20040502)

Greg Stein wrote:

Yikes. I hadn't even considered that problem. I don't like the ErrorURI concept at all, but this points to a bigger requirement: the URI better point to the same hostname as the feed which has a problem. Otherwise, you can get people to starting yapping at arbitrary servers. I wouldn't go so far as to call it a DDoS, but there is certainly the possibility of a mild onslaught of requests to any arbitrary URI.

PaceServiceError requires a referrer header. I don't think the DDoS possibilities for a safe method are any worse than HTML. It would be easier to include someone else's vacation photos in your feed. Now that would be some bandwidth!

Then you have issues about cookies being carried with those requests, and
the possibility for cross-site-scripting attacks, and ...

This is why I don't like POST and/or a message body. At least, certainly no message body with free text in it.

Bleck. I'll let the ErrorURI supporters figure a way out of that. I'll
stick with supporting the ERROR method proposal :-)

I'll note that ErrorURI and ERROR are not mutually exclusive.

Robert Sayre

References:
- Re: AtomPubIssuesList
  - From: Robert Sayre
- Re: AtomPubIssuesList
  - From: Danny Ayers
- PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Mark Pilgrim
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Robert Sayre
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Asbjørn Ulsberg
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Robert Sayre
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Asbjørn Ulsberg
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Robert Sayre
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Asbjørn Ulsberg
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Robert Sayre
- Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
  - From: Greg Stein

Prev by Date: Re: issue: PaceXmlBaseEverywhere/PaceXmlBaseId
Next by Date: Atompub WG Work Plan
Previous by thread: Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
Next by thread: Re: PaceServiceError GET vs. POST (was Re: AtomPubIssuesList)
Index(es):
- Date
- Thread