what method name to use

[reschke]

(opening this so it has a discussion venue)

Currently, the spec uses "SEARCH" (for the reasons given in the spec).

Alternatives:

1. pick a new name
2. use GET with payload (probably unrealistic, just listed for completeness)
3. use POST and find a way to label it as safe
4. re-use another existing safe method that takes a body (PROPFIND, REPORT) (just listed for completeness)

The obvious drawback in "pick a new name" is the forseealke bike-shedding.

[mnot]

Just my .02.

Using POST is initially attractive because it's familiar; effectively we'd be extending the semantics of the method with a header.

However, I'm not sure it's a good idea. POST implies certain guarantees to clients, servers and intermediaries -- e.g., write-through. If an extension can change those guarantees, it's important that they're visible to all components, and an extension (e.g., a header) by nature can't guarantee that.

It seems to me that one of the critical things to do is to get a positive indication from the user agent that the request they're sending doesn't have write-through, so a POST extension would need to carry an indication from the client. However, the origin server is also likely to need to convey a cache key and perhaps additional information, which leads this approach to something that's looking complex; the client has to send a certain header, the server has to send a certain header, and an intermediary still might not understand what's going on (which might be good or bad).

So that makes me lean towards the status quo, (1), or (4) as being more straightforward.

Reusing an already-deployed name has been discussed elsewhere; I'm not convinced that it's going to add a lot of value, considering that most traffic is HTTPS now and so intermediaries with fixed lists of supported methods are much less common. If we had data that they'd get through e.g., an enterprise virus scanning proxy whereas a new method wouldn't, I'd be interested to see that.

Still, if SEARCH fits the bill adequately, I think it's fine. The real test will be whether folks (especially HTTP API developers) find it compelling enough to use; I'm not sure SEARCH quite gets there, but it's in the ballpark.

If we're going to consider new names, I'd suggest QUERY.

[martinthomson]

If the point of this exercise is to make safe-ness visible to intermediaries, then a method is the right place to put that signal.

I'm comfortable enough with SEARCH, though an entirely name would be equally good.

(I think that we should continue discussion about cache keys separately.)

[ioggstream]

I value a lot the ability for intermediaries to filter out write requests before they reach an application. Reusing POST won't have this advantage.

[tfpauly]

Interim discussion: switch document to use QUERY, which has good support from the attendees, and see how it seems to people who would be adopting.