rest-discuss : Message: Re: [rest-discuss] Seeking feedback on the Blinksale API

On Oct 2, 2006, at 4:33 PM, Duncan Cragg wrote:

> Clearly there's a difference between a header declaring the type of
> stuff being transferred and the schema of that stuff, but once
> you've got up to XML, surely it's safe to transfer over from
> Content-Type to (explicit or implicit) schema?

No. What is the content difference between an archived invoice and
an invoice that I expect you to pay right now? There shouldn't be any.
The difference should be expressed in the action (method) and the
metadata (media type), not by changing the content. That is only
possible
in a system that alters the media type based on the reason the
content is
being viewed (i.e., the resource), which in turn is only possible if
we don't rely on a single meaningless media type for message exchanges.

> What problems does it cause with intermediaries to only specify the
> low-level types (say, charset and the fact that it's XML)?

Intermediaries cannot find the schema inside an XML body fast enough
to keep up with Internet-scale systems, and even if they could that
is not sufficient information to tell the system how the sender intended
the message to be interpreted. The media type tells the recipient how
the sender expects it to be processed, not just what the format is.

> Indeed, what problems does it cause with a consumer of the XML,
> assuming they can spot the schema on the first line and/or figure
> out what they've got by a little scanning around the elements?

Because if one component believes that "text/xml" messages are safe
and another component believes that "text/xml" messages should be
treated like a dynamic invocation interface, then the only way to
prevent a security hole is to block all XML content. We have to all
agree that "text/xml" will be processed in a specific, safe manner,
and some dangerous stuff can be related to "application/flash+xml"
and other specific media types.

That way we can make a conscious decision to block dangerous content
only when it is used in a dangerous way. (Some people will block all
dangerous content anyway, but that is a separate issue.)

....Roy

Expand Messages

Author

Sort by Date

... Roy: I would very much like you to elaborate on this comment! Clearly there's a difference between a header declaring the type of stuff being transferred...

Duncan Cragg
duncan_b_cragg

Oct 3, 2006
12:33 am

... No. What is the content difference between an archived invoice and an invoice that I expect you to pay right now? There shouldn't be any. The difference...

Roy T. Fielding
roy_fielding

Oct 3, 2006
2:48 am

... Just to make sure I understand, you advocate a separate media type for an invoice that the sender intends to be submitted for payment vs one that is...

Bob Haugen
bob.haugen@...

Oct 3, 2006
1:22 pm

... It is just an example. Think of it this way: your browser receives two messages, one says it is application/quicken and the other says it is...

Roy T. Fielding
roy_fielding

Oct 3, 2006
6:37 pm

... Data doesn't have intent. Producers may have intent and consumers may have intent, but those are by no means the same thing. There's certainly no intent in...

Elliotte Harold
elharo@...

Oct 2, 2006
11:22 am

... I meant the sender's intent, of course. I explained it more concretely for the more concrete subject of the web architecture: ...

Roy T. Fielding
roy_fielding

Oct 2, 2006
11:02 pm

... Ok, which one is it? 8-) "REST enables intermediate processing by constraining messages to be self-descriptive: interaction is stateless between requests,...

Mark Baker
gonga_thrash

Oct 2, 2006
3:42 pm

So what does "standard" mean again? Can you be specific about which set of bureaucrats I have to tithe to before my messages can be self-descriptive?...

Lucas Gonze
lucas_gonze

Oct 2, 2006
4:17 pm

... Both. That is just a summary. The real constraint you are looking for is under 5.2.1: REST provides a hybrid of all three options by focusing on a shared...

Roy T. Fielding
roy_fielding

Oct 2, 2006
10:11 pm

... In the interview Mark does differentiate between a completely open system (where messages types *must* be standardized) and intra- organisational scenarios...

Jan Algermissen
algermissen1971

Oct 1, 2006
8:54 am

Looks really good, but two things stand out as unRESTful to me. The first is the documentation for the URI structure, e.g. ...

Mark Baker
gonga_thrash

Sep 26, 2006
9:32 pm

... That didn't come out right. Even if you register a new media type, messages won't be self-descriptive until the format is standardized. And +1 to Roy on...

Mark Baker
gonga_thrash

Sep 26, 2006
9:50 pm

... So, Mark, does that mean you have given up on RDF Forms? http://www.markbaker.ca/2003/05/RDF-Forms/ And is a message sufficiently self-descriptive if it...

Bob Haugen
bob.haugen@...

Oct 1, 2006
3:35 pm

... Nope! That reuses RDF/XML, which has a standard media type (application/rdf+xml). And by Roy's most recent definition, it is self-descriptive because you...

Mark Baker
gonga_thrash

Oct 2, 2006
4:14 pm

... Why not? What diff does it make if the form came from the form processing resource or was (for example) a standard invoice form, as long as both client...

Bob Haugen
bob.haugen@...

Oct 2, 2006
4:33 pm

... The trouble is the HEAD of the resource will tell you nothing. And what if you're trying to do content-neg across 2 different documents: - a BPEL invoice...

Nic James Ferrier
nferrier_tap...

Oct 2, 2006
10:53 pm

Yahoo! Groups

Group Information

Yahoo! Groups Tips

Did you know...

Messages