OSLC GET with selective properties should also support POST #591
Comments
|
The OSLC Core section on Selective Properties does not currently mention GET or POST. A conformance clause should be added indicating Selective Properties can be used with GET or POST in order to handle potentially large HTTP query strings, or secure sensitive information. |
|
A I disagree with the proposal. We already have URI patterns where a GET on a specific URI gets data, and a POST to the same URI would create data. LDPCs are an example. See the OSLC Configuration Management specification. The proposal would be a breaking change. |
CWE-598: Use of GET Request Method With Sensitive Query Strings suggests that REST services that use GET with query parameters that may expose sensitive information in the URL should also support POST so that the query parameters can be included in an entity request body instead.
This is a broader HTTP security issue that can be partially resolved by using TLS. But there may be cases where certain URLs have to be sent unencrpted to get through various proxies, etc. Or decrypted GET URLs could be stored in a user's browser where they could be exposed to hackers. TLS only addresses secure transition of HTTP requests, it does not address security of the content of those resources once they are consummed by a client or server.
OSLC Query already supports GET and POST for query strings. The only other GET in OSLC that might expose information is GET with selective properties. This would only expose property names, not values. However, CWE-598 explicity uses an example of exposing database column names which would be similar to exposing RDF resource property URLs.
OSLC Core 3.0 should be updated to support POST when using selective properties.
The text was updated successfully, but these errors were encountered: