XML-RPC and http

Clay Shirky clay@shirky.com
Tue, 7 Aug 2001 07:19:27 -0400 (EDT)


> In the examples of Blogger and iVillage you gave earlier you 
> claimed the issue was that they used POST to log in. 

Look again. Blogger uses POST for every form on the HP, idempotent or
no. 

> POST *is* the correct method to use for log in! Logging in is a
> side-effect, no?

No.

http is stateless, so logging in produces no side effect. Saying "Show
me the present state of my in-box" is no more a side effect than
saying "Show me the present state of a stock price."

The reason MSFT, to take but one example, uses GET for stock quotes
but POST for a Hotmail login has nothing do do with side effects and
everything to do with POST not showing the passwd in the query
string. 

> I agree, it is not enforced by the HTTP implementation (i.e. 
> your web browser will still work if someone uses POST instead of 
> GET)

Yep, a usage you yourself defend (except, for some reason, when its
used by XML-RPC.)

> ... but as I've mentioned several times before its enforced by
> Google, bookmarking, linking, caching, etc. -- all those good things
> which are built upon the foundation of URIs.

Nope. The semantics of *GET* are enforced by things like bookmarking
and linking. The semantics of POST are not enforced by anything. This
leaves us with the situation we have today, where POST is a general
purpose tool. 

> Aha, even your New York webmasters know when to use GET!

Sure, they know when to use GET -- only when POST can't be used as the
default. They use POST as a general purpose tool for getting data to
the server. Just like XML-RPC does.

> Great! The browser itself is enforcing the restrictions of the 
> RFC. What's the big deal?

No its not. The browser does nothing to make the use of POST
contingent on producing side effects. 

> I'm not even sure what you mean here. People use GET when they 
> want folks to bookmark pages and send them to their friends; 
> they use POST when they don't want things (JavaScript worms, 
> Google, a web archiving tool, etc.) to make unsuspecting users 
> automagically do an action (like buy a book on Amazon).

Did you even read what I wrote? Not one person made the distinction
you make here. They use POST as the default tool for getting data to
the server.

> Your NYC web designers have made this choice easier: default to
> POST, use GET when folks need to bookmark it. In doing so, they make
> the right choices.

So again: what's wrong with XML-RPC defaulting to POST?

-clay