[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] Issue Comment Edited: (ODATA-420) Response codes 404 and 405: MUST instead of SHOULD
[ http://tools.oasis-open.org/issues/browse/ODATA-420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33617#action_33617 ] Stefan Drees edited comment on ODATA-420 at 5/30/13 10:55 AM: -------------------------------------------------------------- I like the updated proposal, but do not know, if its from a security standpoint a best practice to enforce a 404 info regardless of the "probing" method. In other words, it is maybe not good in separation of concerns terms. We (OData) handle requests, inside a common HTTP serving context. As I know HTTP server configuring and behaviors, the "method not allowed" errors may span a "wide defense area", i.e. being triggered early, by comparing a portion of the path only and not even trying to resolve the full path to an object or method or even handing the request over to a backend application service. So maybe a regex is tested and if not match early out. So if we have to settle on a decision hierarchy maybe the other way around, like "ask me the right way" check first (method ok?) and then "do I have the answer" (otherwise 404) and after that OData specifics like the server side stuff 501's etc. What do the others think? was (Author: sdrees): I like the updated proposal, but do not know, if its from a security standpoint a best practice to enforce a 404 info regardless of the "probing" method. In other words, it is maybe not good in separation of concerns terms. We (OData) handle requests, inside a common HTTP serving context. As I know HTTP server configuring and behaviors, the "method not allowed" errors may span a "wide defense area", i.e. being triggered early, by comparing a portion of the path only and not even trying to resolve the full path to an object or method or even handing the request over to a backend application service. So maybe a regex is tested and if not match early out. > Response codes 404 and 405: MUST instead of SHOULD > -------------------------------------------------- > > Key: ODATA-420 > URL: http://tools.oasis-open.org/issues/browse/ODATA-420 > Project: OASIS Open Data Protocol (OData) TC > Issue Type: Bug > Components: OData Protocol > Affects Versions: V4.0_CSD01 > Environment: [Proposed] > Reporter: Ralf Handl > Fix For: V4.0_CSD02 > > > It is unclear what the service might do if it doesn't want to respond with 404 Not Found to a non-existing resource or 405 Method Not Allowed for an existing resource. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]