 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
83 messages in org.w3.www-tagRE: FW: draft findings on Unsafe Meth...| From | Sent On | Attachments |
|---|---|---|
| Dan Connolly | Apr 15, 2002 8:50 am | |
| Larry Masinter | Apr 15, 2002 1:44 pm | |
| David Orchard | Apr 15, 2002 3:01 pm | |
| David Orchard | Apr 15, 2002 3:19 pm | |
| Mark Baker | Apr 15, 2002 8:00 pm | |
| Keith Moore | Apr 15, 2002 8:37 pm | |
| Scott Cantor | Apr 15, 2002 9:28 pm | |
| Edwin Khodabakchian | Apr 15, 2002 9:34 pm | |
| David Orchard | Apr 15, 2002 10:18 pm | |
| Paul Prescod | Apr 15, 2002 11:17 pm | |
| Tim Bray | Apr 15, 2002 11:32 pm | |
| Mark Nottingham | Apr 16, 2002 1:01 am | |
| Tim Bray | Apr 16, 2002 1:02 am | |
| Mark Nottingham | Apr 16, 2002 1:09 am | |
| Paul Prescod | Apr 16, 2002 2:11 am | |
| Paul Prescod | Apr 16, 2002 3:02 am | |
| Mark Baker | Apr 16, 2002 4:54 am | |
| Williams, Stuart | Apr 16, 2002 8:22 am | |
| Keith Moore | Apr 16, 2002 8:32 am | |
| jon...@research.att.com | Apr 16, 2002 8:44 am | |
| Scott Cantor | Apr 16, 2002 8:55 am | |
| Paul Prescod | Apr 16, 2002 9:40 am | |
| Mark Nottingham | Apr 16, 2002 9:42 am | |
| Hutchison, Nigel | Apr 16, 2002 9:43 am | |
| Henrik Frystyk Nielsen | Apr 16, 2002 10:48 am | |
| Bullard, Claude L (Len) | Apr 16, 2002 1:46 pm | |
| Larry Masinter | Apr 16, 2002 6:39 pm | |
| Roy T. Fielding | Apr 16, 2002 7:54 pm | |
| Larry Masinter | Apr 16, 2002 10:10 pm | |
| Graham Klyne | Apr 17, 2002 1:54 am | |
| Paul Prescod | Apr 18, 2002 12:33 am | |
| Graham Klyne | Apr 18, 2002 9:11 am | |
| Alex Rousskov | Apr 18, 2002 9:30 am | |
| Paul Prescod | Apr 18, 2002 9:45 am | |
| Graham Klyne | Apr 18, 2002 11:58 am | |
| Roy T. Fielding | Apr 18, 2002 3:11 pm | |
| Don Box | Apr 18, 2002 6:28 pm | |
| Mark Baker | Apr 18, 2002 8:50 pm | |
| Keith Moore | Apr 18, 2002 8:54 pm | |
| Paul Prescod | Apr 18, 2002 10:00 pm | |
| Graham Klyne | Apr 19, 2002 12:53 am | |
| Bill de hÓra | Apr 19, 2002 4:18 am | |
| Roy T. Fielding | Apr 19, 2002 1:20 pm | |
| Anne Thomas Manes | Apr 22, 2002 3:23 pm | |
| Paul Prescod | Apr 22, 2002 4:01 pm | |
| Anne Thomas Manes | Apr 22, 2002 8:17 pm | |
| Paul Prescod | Apr 22, 2002 10:21 pm | |
| Anne Thomas Manes | Apr 23, 2002 5:36 am | |
| Paul Prescod | Apr 23, 2002 12:03 pm | |
| Paul Prescod | Apr 23, 2002 2:09 pm | |
| Roy T. Fielding | Apr 23, 2002 2:14 pm | |
| Bullard, Claude L (Len) | Apr 23, 2002 2:50 pm | |
| Joshua Allen | Apr 23, 2002 2:53 pm | |
| David Orchard | Apr 23, 2002 4:14 pm | |
| Keith Moore | Apr 23, 2002 5:05 pm | |
| Roy T. Fielding | Apr 23, 2002 5:14 pm | |
| Simon St.Laurent | Apr 23, 2002 5:18 pm | |
| Larry Masinter | Apr 23, 2002 6:31 pm | |
| Mark Baker | Apr 23, 2002 6:36 pm | |
| Paul Prescod | Apr 23, 2002 8:03 pm | |
| Tim Bray | Apr 23, 2002 8:30 pm | |
| Dan Connolly | Apr 23, 2002 9:05 pm | |
| Joshua Allen | Apr 23, 2002 9:10 pm | |
| Anne Thomas Manes | Apr 23, 2002 9:28 pm | |
| Mark Nottingham | Apr 23, 2002 9:42 pm | |
| Jeff Bone | Apr 23, 2002 9:42 pm | |
| Joshua Allen | Apr 23, 2002 10:02 pm | |
| Paul Prescod | Apr 23, 2002 10:05 pm | |
| Joshua Allen | Apr 23, 2002 10:27 pm | |
| Joshua Allen | Apr 23, 2002 10:38 pm | |
| Mark Nottingham | Apr 23, 2002 10:57 pm | |
| Mark Nottingham | Apr 23, 2002 11:16 pm | |
| Joshua Allen | Apr 23, 2002 11:20 pm | |
| Dan Connolly | Apr 23, 2002 11:23 pm | |
| Tim Bray | Apr 23, 2002 11:56 pm | |
| Bullard, Claude L (Len) | Apr 24, 2002 7:23 am | |
| Larry Masinter | Apr 24, 2002 8:47 am | |
| Keith Moore | Apr 24, 2002 10:46 am | |
| Bullard, Claude L (Len) | Apr 24, 2002 10:56 am | |
| Aaron Swartz | Apr 24, 2002 11:27 am | |
| Mike Dierken | Apr 24, 2002 12:06 pm | |
| David Orchard | Apr 25, 2002 10:54 am | |
| Roy T. Fielding | May 5, 2002 3:38 am |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | RE: FW: draft findings on Unsafe Methods (whenToUseGet-7) | Actions... |
|---|---|---|
| From: | Joshua Allen (josh...@microsoft.com) | |
| Date: | Apr 23, 2002 10:02:44 pm | |
| List: | org.w3.www-tag | |
No, it shows where ignorance of the Web architecture can lead any group of people to design a solution that breaks it instead of becoming part of it. If you told people the truth about what will happen to SOAP over HTTP as soon as firewalls are upgraded to defend against them, those customers wouldn't allow that technology in the door.
Well, my personal experience has been with customers who have upgraded their firewalls specifically to enable SOAP packets to more efficiently flow. I suppose that some customers could be scared into inaction by enough FUD, but that doesn't seem to be the case yet. It would be a shame to see people's personal opinions about "web architecture" spill over into personality politics and FUD-mongering. It would be a shame, but I don't think it would have much impact on the adoption of SOAP. I am confident that the members of tag are mature enough to work out these issues amongst themselves and come to consensus without causing unnecessary polarization and politicization of the industry.
I *can* say, from firsthand experience, that many companies instituted policies in the early days of the web by which they blocked *all* port 80 traffic from their networks. This is because they became very alarmed at the way that people were using POST to hook up to arbitrary code. And do you know what? They *still* block all incoming port 80 traffic. Most corporate IT security shops will *never* trust port 80 traffic to anything but their DMZs, because they know that they cannot trust POST.
On the other hand, businesses know that they can filter SOAP messages at a much more granular level, and they know that SOAP messages identify themselves clearly, unlike the widespread generic abuse of POST. POST is the Trojan horse that businesses are afraid of. It is sheer duplicity to try to redirect people's attention to something far more transparent and manageable like SOAP.
We all agree what the "good" use of POST is. But it is the worst kind of revisionist history to say that this use of POST was ever agreed upon by any implementers or users -- it has always and will always exist only in our imaginations. You may claim that this use of POST was fundamental to the original specs, but obviously the original spec was loose enough to allow people to completely ignore the intentions and abuse the heck out of POST. POST abuse is de-facto standard, and I blame it entirely on the POST specification. Second to the POST spec, I blame the original NCSA-HTTPD CGI samples that seduced people down the road to ruin. Considering that the current situation was created by the original specs and the first web servers, there is something distinctly Quixotic about someone trying to "fix" POST abuse at this point in the game.
I would also point out that POST abuse probably had a lot to do with the success of "the web" as we know it today. Certainly "the largest creation of wealth in the history of mankind" turned out to be a dream, but places like Amazon.com, priceline.com, etc. have touched many lives. Would Amazon or Priceline have ever deployed without POST "abuse"? I doubt it. You may feel that the entire success of the web was due to people following the principles that you retrospectively outlined in your thesis paper, but you have to admit that people have been ignoring your advice about POST for about 3 billion pages now, and things are working just fine.
And if you are really concerned about POST abuse, then why not pose some constructive suggestions about how to deal with it? I think if anyone sat down and tried to come up with a plan to reduce the abuse of POST and clear the way for a semantic web, SOAP would be a significant part of the solution.
Regards, Joshua