Safe Methods

Istvan (simon@mcs.mcs.csuhayward.edu)
Wed, 17 Jul 1996 14:13:37 +0800


In the recent discussion about the xxx.lanl.gov incident,
some people have defended the point of view
that if a robot does not follow the REP their authors are responsible for
whatever side-effects their GET or HEAD requests generate on the server.

Without trying to reopen that lengthy debate, I think that it is worthwhile
to point out that the HTTP protocol addresses this issue, and explicitly
disallows the above point of view.

Section 12.2 of the HTTP protocol, quoted below, addresses this
particular issue clearly and authoritatively: (emphasis added by me)

"12.2 Safe Methods

The writers of client software should be aware that the software represents the
user in their interactions over the Internet, and should be careful to allow
the user to be aware of any actions they may take which may have
an unexpected siginificance to themselves or others.

In particular, THE CONVENTION HAS BEEN ESTABLISHED that the GET and HEAD
methods SHOULD NEVER HAVE THE SIGNIFICANCE OF TAKING AN ACTION OTHER THAN
RETRIEVAL. These methods should be considered "safe". This allows user agents
to represent other methods, such as POST, in a special way, so that the user
is made aware of the fact that a possibly unsafe action is being requested.

NATURALLY, IT IS NOT POSSIBLE TO ENSURE THAT THE SERVER DOES NOT GENERATE
side-effects as a result of performing a GET request; in fact, some
dynamic resources consider that a feature. The important distinction here is
THAT THE USER DID NOT REQUEST THE SIDE-EFFECTS, SO THEREFORE CANNOT BE HELD
ACCOUNTABLE FOR THEM. "

--Steve Simon