OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

odata message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] Issue Comment Edited: (ODATA-420) Response codes 404 and 405: MUST instead of SHOULD

    [ http://tools.oasis-open.org/issues/browse/ODATA-420?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=33617#action_33617 ] 

Stefan Drees edited comment on ODATA-420 at 5/30/13 10:55 AM:
--------------------------------------------------------------

I like the updated proposal, but do not know, if its from a security standpoint a best practice to enforce a 404 info regardless of the "probing" method.

In other words, it is maybe not good in separation of concerns terms. We (OData) handle requests, inside a common HTTP serving context.

As I know HTTP server configuring and behaviors, the "method not allowed" errors may span a "wide defense area", i.e. being triggered early, by comparing a portion of the path only and not even trying to resolve the full path to an object or method or even handing the request over to a backend application service. So maybe a regex is tested and if not match early out.

So if we have to settle on a decision hierarchy maybe the other way around, like "ask me the right way" check first (method ok?) and then "do I have the answer" (otherwise 404) and after that OData specifics like the server side stuff 501's etc.

What do the others think?



      was (Author: sdrees):
    I like the updated proposal, but do not know, if its from a security standpoint a best practice to enforce a 404 info regardless of the "probing" method.

In other words, it is maybe not good in separation of concerns terms. We (OData) handle requests, inside a common HTTP serving context.

As I know HTTP server configuring and behaviors, the "method not allowed" errors may span a "wide defense area", i.e. being triggered early, by comparing a portion of the path only and not even trying to resolve the full path to an object or method or even handing the request over to a backend application service. So maybe a regex is tested and if not match early out.


  
> Response codes 404 and 405: MUST instead of SHOULD
> --------------------------------------------------
>
>                 Key: ODATA-420
>                 URL: http://tools.oasis-open.org/issues/browse/ODATA-420
>             Project: OASIS Open Data Protocol (OData) TC
>          Issue Type: Bug
>          Components: OData Protocol 
>    Affects Versions: V4.0_CSD01
>         Environment: [Proposed]
>            Reporter: Ralf Handl
>             Fix For: V4.0_CSD02
>
>
> It is unclear what the service might do if it doesn't want to respond with 404 Not Found to a non-existing resource or 405 Method Not Allowed for an existing resource.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://tools.oasis-open.org/issues/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]