Requiring Allow in 405 responses

[mnot@…]

In RFC 2616, section 10.4.6 405 Method Not Allowed:

The method specified in the Request-Line is not allowed for the resource identified by the Request-URI. The response MUST include an Allow header containing a list of valid methods for the requested resource.

which has the effect of requiring that a server advertise all methods to a resource. In some cases, method implementation is implemented across several (extensible) parts of a server and thus not known. In other cases, it may not be prudent to tell an unauthenticated client all of the methods that might be available to other clients.

[mnot@…]

Proposal: Change the MUST to MAY in 10.4.6.

[mnot@…]

Proposal:

• In p2 10.1, change "The actual set of allowed methods is defined by the origin server at the time of each request." to "The actual set of allowed methods is defined by the origin server at the time of each request, and may not necessarily include all (or any) methods that the server would actually allow in a request if presented." (with normal editorial discretion)

• In p2 10.1, remove "However, the indications given by the Allow header field value SHOULD be followed."

[julian.reschke@…]

Proposed change (see ​http://lists.w3.org/Archives/Public/ietf-http-wg/2008JanMar/0609.html)

[mnot@…]

Updated proposal:

• In the definition of Allow, change: The Allow entity-header field lists the set of methods supported by the resource identified by the Request-URI.

to

The Allow entity-header field advertises a set of methods as supported by the resource identified by the Request-URI.

• And, remove: This field cannot prevent a client from trying other methods. However, the indications given by the Allow header field value SHOULD be followed.

[julian.reschke@…]

Fixed in [240]:

Resolve #24: relax requirements for contents of Allow header (closes #24).