All,
I have been working through the some specification compliance questions
raised by some research into HTTP conformance [1].
That paper's focus is security but I don't see any security concerns for
Tomcat. I do see a number of false positive results and I have raised
issues for those.
One of the results relates to how Tomcat responds to a POST request. I
am assuming it is the default servlet that responds as I don't see any
Servlet or JSP code in the test.
Looking at this got me thinking. Why is the default Servlet responding
to a POST request as if it is a GET request? I can see a case for doing
this for include/forwards but not for direct requests.
Should we be returning 405 for direct requests using POST?
Mark
[1] https://github.com/cispa/http-conformance
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
