Re: Paul Burchard on HTML 2.0 FORMs

Tim Berners-Lee <timbl@oclc.org>
Date: Tue, 12 Jul 94 11:31:30 EDT
Message-id: <9407121525.AA02542@www3.cern.ch>
Reply-To: html-ig@oclc.org
Originator: html-ig@oclc.org
Sender: html-ig@oclc.org
Precedence: bulk
From: Tim Berners-Lee <timbl@oclc.org>
To: Multiple recipients of list <html-ig@oclc.org>
Subject: Re: Paul Burchard on HTML 2.0 FORMs
X-Listprocessor-Version: 6.0c -- ListProcessor by Anastasios Kotsikonas
X-Comment: HTML Implementation Group (Private)

|From: eric@oclc.org (Eric W. Sink)
|
|>The default method is GET, although for many applications,
|>the POST method will be preferred.  In the latter case,

The spec could be clearer.  GET is fine when so long as the
reult of the GET does not change anything (except log files!).
GET may not have side-effects.  To say this explicitly would be
less obscure, though it should be made clear that this is an
informational reference to HTTP, not part of HTML.

____________________________________ separate point

|This reminds me - are attributes like this to be recognized
|case-sensitively ?  XMosaic actually does match case, so that
|a form which reads
|
|  <FORM METHOD="post")
|
|is handled as a GET.  We've found one Web site which is coded exactly
|this way, and their server really is expecting a GET!  So, any browser
|which matches this attribute without regard to case, fails on their
|server!

Not, of course something to take into account in defining the spec! :-)

The HTTP spec specifies that the method IS case sensitive, so
the attribute has to be.


|>the ENCTYPE attribute is a MIME type
|>specifying the format of the POSTed data
|>(by default <CODE>application/x-www-form-urlencoded</CODE>).
|
|Not only is that the default ENCTYPE, it is the only one
|supported by any browser I know of.

Yes, but it is *horrible* for serious data representation,
and a method of sending it back as SGML, an HTML
subset, is preferable.  We plan to put the code for 



__________________ separate point __________________


|By the way, I'd love to see another attribute on the FORM
|tag, called SECUREONLY:
|
|  <FORM METHOD="POST" SECUREONLY>
|
|Basically, this tag forces the browser to refuse to send
|the user-entered information in a non-secure fashion.
|Since I know of no browsers implementing SHTTP or some
|relevant alternative, all current browsers would implement
|this attribute by simply refusing to submit the form.

Current browsers must ignore unknown attributes, though,
so a conforming existing browser would just submit unsecured.

In principle, one  could add some syntax to the method
like 

   <FORM METHOD="POST/SECUREONLY">
which should stop an existing browser working, but by
you description above, Mosaic will just fall back on GET!.

Tim