[Zope-dev] Last-modified and bobobase_modification_time

Toby Dickenson tdickenson@geminidataloggers.com
Tue, 18 Jun 2002 11:13:45 +0100


>   Rendering may produce side effects. But "HEAD" requests
>   are required by HTTP not to have side effects.

RFC 2616 section 9.4 states that "HEAD" is identical to "GET" in this res=
pect,=20
and both should have no side effects.


On Tuesday 18 Jun 2002 10:26 am, Wei He wrote:

> I think the last step is to change the HEAD handling
> routine to the get information from GET. Does anyone have any idea?

Yes, I think that makes sense.

A while ago the list discussed changing Zope's security declarations to a=
dd a=20
way to specify whether a published method has significant side-effects.

Side-effect-free methods can have HEAD and GET handled identically.

Methods declared to have side-effects can only be accessed though a POST.=
 I=20
guess GET or HEAD on such methods would result in a 405 error (Method Not=
=20
Allowed)

(Such a change would also go a long way to reducing the scope of=20
client-side-trojan vulnerabilities.)