On Wed, Mar 12, 2025 at 1:23 PM Mark Thomas <ma...@apache.org> wrote: > > All, > > I have been working through the some specification compliance questions > raised by some research into HTTP conformance [1]. > > That paper's focus is security but I don't see any security concerns for > Tomcat. I do see a number of false positive results and I have raised > issues for those. > > One of the results relates to how Tomcat responds to a POST request. I > am assuming it is the default servlet that responds as I don't see any > Servlet or JSP code in the test. > > Looking at this got me thinking. Why is the default Servlet responding > to a POST request as if it is a GET request? I can see a case for doing > this for include/forwards but not for direct requests.
Because whatever back then seemed better that way if I did it that way. Allowing the current behavior for request dispatcher use would be good, yes, otherwise breakage seems quite likely (when doing that, you may not care about whatever the original HTTP method was unless it didn't work). > Should we be returning 405 for direct requests using POST? It seems possible. Rémy > Mark > > > > [1] https://github.com/cispa/http-conformance > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
